Fix bug #9209 - Parse of invalid SMB2 create blob can cause smbd crash.

Ensure we correctly protect against blobs with data_offset==0 and data_length != 0. Jeremy. Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Sep 27 22:07:02 CEST 2012 on sn-devel-104
author: Jeremy Allison <jra@samba.org> 2012-09-26 16:58:58 -0700
committer: Jeremy Allison <jra@samba.org> 2012-09-27 22:07:02 +0200
commit: 322e3d42f65dadabeccf8813fcb0e9b7d353ffb2 (patch)
tree: c97c8ae30e63413c30b80334301767e303365e21
parent: b7822a55c40c5c42356b263c3d7bc1998fb1a7d3 (diff)
download: samba-322e3d42f65dadabeccf8813fcb0e9b7d353ffb2.tar.gz
samba-322e3d42f65dadabeccf8813fcb0e9b7d353ffb2.tar.xz
samba-322e3d42f65dadabeccf8813fcb0e9b7d353ffb2.zip
1 files changed, 2 insertions, 3 deletions
diff --git a/libcli/smb/smb2_create_blob.c b/libcli/smb/smb2_create_blob.c
index 189bcd18ae..92387db953 100644
--- a/libcli/smb/smb2_create_blob.c
+++ b/libcli/smb/smb2_create_blob.c
@@ -66,9 +66,8 @@ NTSTATUS smb2_create_blob_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB buffer,
 		    name_offset + name_length > remaining ||
 		    (data_offset & 0x7) != 0 ||
 		    (data_offset && (data_offset < name_offset + name_length)) ||
-		    (data_offset && (data_offset > remaining)) ||
-		    (data_offset && data_length &&
-				(data_offset + (uint64_t)data_length > remaining))) {
+		    (data_offset > remaining) ||
+		    (data_offset + (uint64_t)data_length > remaining)) {
 			return NT_STATUS_INVALID_PARAMETER;
 		}
author	Jeremy Allison <jra@samba.org>	2012-09-26 16:58:58 -0700
committer	Jeremy Allison <jra@samba.org>	2012-09-27 22:07:02 +0200
commit	322e3d42f65dadabeccf8813fcb0e9b7d353ffb2 (patch)
tree	c97c8ae30e63413c30b80334301767e303365e21
parent	b7822a55c40c5c42356b263c3d7bc1998fb1a7d3 (diff)
download	samba-322e3d42f65dadabeccf8813fcb0e9b7d353ffb2.tar.gz samba-322e3d42f65dadabeccf8813fcb0e9b7d353ffb2.tar.xz samba-322e3d42f65dadabeccf8813fcb0e9b7d353ffb2.zip