static struct ea_list *read_ea_name_list(TALLOC_CTX *ctx, const char *pdata, size_t data_size)
{
struct ea_list *ea_list_head = NULL;
- size_t offset = 4;
+ size_t offset = 0;
while (offset + 2 < data_size) {
struct ea_list *tmp;
static struct ea_list *read_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t data_size)
{
struct ea_list *ea_list_head = NULL;
- size_t offset = 4;
+ size_t offset = 0;
if (data_size < 10) {
return NULL;
}
- if (IVAL(pdata,0) > data_size) {
- DEBUG(10,("read_ea_list: bad total data size (%u) > %u\n", IVAL(pdata,0), (unsigned int)data_size));
- return NULL;
- }
-
/* Each entry must be at least 6 bytes in length. */
while (offset + 6 <= data_size) {
struct ea_list *tmp;
if (info_level == SMB_FIND_EA_LIST) {
uint32 ea_size;
-
+
if (total_data < 4) {
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
-
+
ea_size = IVAL(pdata,0);
if (ea_size != total_data) {
DEBUG(4,("call_trans2findfirst: Rejecting EA request with incorrect \
}
/* Pull out the list of names. */
- ea_list = read_ea_name_list(ea_ctx, pdata, ea_size);
+ ea_list = read_ea_name_list(ea_ctx, pdata + 4, ea_size - 4);
if (!ea_list) {
talloc_destroy(ea_ctx);
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
if ((ea_ctx = talloc_init("findnext_ea_list")) == NULL) {
return ERROR_NT(NT_STATUS_NO_MEMORY);
}
-
+
/* Pull out the list of names. */
- ea_list = read_ea_name_list(ea_ctx, pdata, ea_size);
+ ea_list = read_ea_name_list(ea_ctx, pdata + 4, ea_size - 4);
if (!ea_list) {
talloc_destroy(ea_ctx);
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
/* Pull out the list of names. */
- ea_list = read_ea_name_list(ea_ctx, pdata, ea_size);
+ ea_list = read_ea_name_list(ea_ctx, pdata + 4, ea_size - 4);
if (!ea_list) {
talloc_destroy(ea_ctx);
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
case SMB_INFO_SET_EA:
{
struct ea_list *ea_list = NULL;
- TALLOC_CTX *ctx = talloc_init("SMB_INFO_SET_EA");
+ TALLOC_CTX *ctx = NULL;
+
+ if (total_data < 10) {
+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
+ if (IVAL(pdata,0) > total_data) {
+ DEBUG(10,("call_trans2setfilepathinfo: bad total data size (%u) > %u\n",
+ IVAL(pdata,0), (unsigned int)total_data));
+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
+ ctx = talloc_init("SMB_INFO_SET_EA");
if (!ctx) {
return ERROR_NT(NT_STATUS_NO_MEMORY);
}
- ea_list = read_ea_list(ctx, pdata, total_data);
+ ea_list = read_ea_list(ctx, pdata + 4, total_data - 4);
if (!ea_list) {
talloc_destroy(ctx);
return ERROR_NT(NT_STATUS_INVALID_PARAMETER);