diff options
author | Jeremy Allison <jra@samba.org> | 2003-10-16 20:44:43 +0000 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2003-10-16 20:44:43 +0000 |
commit | 450bc69ab36aff1e3011beaacced84de1a57a72a (patch) | |
tree | 74bd868e5ba3be13f097dcd91395c24e62cd6711 /source3/smbd/trans2.c | |
parent | 3a9510acaed2d5e28b17934a2d110998232565e2 (diff) | |
download | samba-450bc69ab36aff1e3011beaacced84de1a57a72a.tar.gz samba-450bc69ab36aff1e3011beaacced84de1a57a72a.tar.xz samba-450bc69ab36aff1e3011beaacced84de1a57a72a.zip |
Tidyup wrap checking.
Jeremy.
(This used to be commit 41d1870a51c259f0cf17caf59928a3b38b21ea11)
Diffstat (limited to 'source3/smbd/trans2.c')
-rw-r--r-- | source3/smbd/trans2.c | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index 3d53387c9f..0f02403184 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -3497,7 +3497,8 @@ int reply_trans2(connection_struct *conn, unsigned int psoff = SVAL(inbuf, smb_psoff); if ((psoff + num_params < psoff) || (psoff + num_params < num_params)) goto bad_param; - if (smb_base(inbuf) + psoff + num_params > inbuf + length) + if ((smb_base(inbuf) + psoff + num_params > inbuf + length) || + (smb_base(inbuf) + psoff + num_params < smb_base(inbuf))) goto bad_param; memcpy( params, smb_base(inbuf) + psoff, num_params); } @@ -3505,7 +3506,8 @@ int reply_trans2(connection_struct *conn, unsigned int dsoff = SVAL(inbuf, smb_dsoff); if ((dsoff + num_data < dsoff) || (dsoff + num_data < num_data)) goto bad_param; - if (smb_base(inbuf) + dsoff + num_data > inbuf + length) + if ((smb_base(inbuf) + dsoff + num_data > inbuf + length) || + (smb_base(inbuf) + dsoff + num_data < smb_base(inbuf))) goto bad_param; memcpy( data, smb_base(inbuf) + dsoff, num_data); } @@ -3566,7 +3568,10 @@ int reply_trans2(connection_struct *conn, if ((param_disp + num_params < param_disp) || (param_disp + num_params < num_params)) goto bad_param; - if (smb_base(inbuf) + param_off + num_params >= inbuf + bufsize) + if (param_disp > total_params) + goto bad_param; + if ((smb_base(inbuf) + param_off + num_params >= inbuf + bufsize) || + (smb_base(inbuf) + param_off + num_params < smb_base(inbuf))) goto bad_param; if (params + param_disp < params) goto bad_param; @@ -3579,7 +3584,10 @@ int reply_trans2(connection_struct *conn, if ((data_disp + num_data < data_disp) || (data_disp + num_data < num_data)) goto bad_param; - if (smb_base(inbuf) + data_off + num_data >= inbuf + bufsize) + if (data_disp > total_data) + goto bad_param; + if ((smb_base(inbuf) + data_off + num_data >= inbuf + bufsize) || + (smb_base(inbuf) + data_off + num_data < smb_base(inbuf))) goto bad_param; if (data + data_disp < data) goto bad_param; |