summaryrefslogtreecommitdiffstats
path: root/source3/smbd/trans2.c
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2003-10-16 20:44:43 +0000
committerJeremy Allison <jra@samba.org>2003-10-16 20:44:43 +0000
commit450bc69ab36aff1e3011beaacced84de1a57a72a (patch)
tree74bd868e5ba3be13f097dcd91395c24e62cd6711 /source3/smbd/trans2.c
parent3a9510acaed2d5e28b17934a2d110998232565e2 (diff)
downloadsamba-450bc69ab36aff1e3011beaacced84de1a57a72a.tar.gz
samba-450bc69ab36aff1e3011beaacced84de1a57a72a.tar.xz
samba-450bc69ab36aff1e3011beaacced84de1a57a72a.zip
Tidyup wrap checking.
Jeremy. (This used to be commit 41d1870a51c259f0cf17caf59928a3b38b21ea11)
Diffstat (limited to 'source3/smbd/trans2.c')
-rw-r--r--source3/smbd/trans2.c16
1 files changed, 12 insertions, 4 deletions
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 3d53387c9f..0f02403184 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -3497,7 +3497,8 @@ int reply_trans2(connection_struct *conn,
unsigned int psoff = SVAL(inbuf, smb_psoff);
if ((psoff + num_params < psoff) || (psoff + num_params < num_params))
goto bad_param;
- if (smb_base(inbuf) + psoff + num_params > inbuf + length)
+ if ((smb_base(inbuf) + psoff + num_params > inbuf + length) ||
+ (smb_base(inbuf) + psoff + num_params < smb_base(inbuf)))
goto bad_param;
memcpy( params, smb_base(inbuf) + psoff, num_params);
}
@@ -3505,7 +3506,8 @@ int reply_trans2(connection_struct *conn,
unsigned int dsoff = SVAL(inbuf, smb_dsoff);
if ((dsoff + num_data < dsoff) || (dsoff + num_data < num_data))
goto bad_param;
- if (smb_base(inbuf) + dsoff + num_data > inbuf + length)
+ if ((smb_base(inbuf) + dsoff + num_data > inbuf + length) ||
+ (smb_base(inbuf) + dsoff + num_data < smb_base(inbuf)))
goto bad_param;
memcpy( data, smb_base(inbuf) + dsoff, num_data);
}
@@ -3566,7 +3568,10 @@ int reply_trans2(connection_struct *conn,
if ((param_disp + num_params < param_disp) ||
(param_disp + num_params < num_params))
goto bad_param;
- if (smb_base(inbuf) + param_off + num_params >= inbuf + bufsize)
+ if (param_disp > total_params)
+ goto bad_param;
+ if ((smb_base(inbuf) + param_off + num_params >= inbuf + bufsize) ||
+ (smb_base(inbuf) + param_off + num_params < smb_base(inbuf)))
goto bad_param;
if (params + param_disp < params)
goto bad_param;
@@ -3579,7 +3584,10 @@ int reply_trans2(connection_struct *conn,
if ((data_disp + num_data < data_disp) ||
(data_disp + num_data < num_data))
goto bad_param;
- if (smb_base(inbuf) + data_off + num_data >= inbuf + bufsize)
+ if (data_disp > total_data)
+ goto bad_param;
+ if ((smb_base(inbuf) + data_off + num_data >= inbuf + bufsize) ||
+ (smb_base(inbuf) + data_off + num_data < smb_base(inbuf)))
goto bad_param;
if (data + data_disp < data)
goto bad_param;