diff options
author | Volker Lendecke <vl@samba.org> | 2008-11-08 17:14:06 +0100 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2008-11-17 15:47:12 +0100 |
commit | 64a1d80851da5b05e70ec6c96f6e9bd473748369 (patch) | |
tree | 7875d7711286fff2cf708519dbeff2fff6cdafaf | |
parent | 60a639b1ac6c88f3a5ef1fe111860eb4b89b3a7d (diff) | |
download | samba-64a1d80851da5b05e70ec6c96f6e9bd473748369.tar.gz samba-64a1d80851da5b05e70ec6c96f6e9bd473748369.tar.xz samba-64a1d80851da5b05e70ec6c96f6e9bd473748369.zip |
Fix the offset checks in the trans routines
This fixes a potential crash bug, a client can make us read memory we
should not read. Luckily I got the disp checks right...
Volker
-rw-r--r-- | source/smbd/ipc.c | 6 | ||||
-rw-r--r-- | source/smbd/nttrans.c | 6 | ||||
-rw-r--r-- | source/smbd/trans2.c | 6 |
3 files changed, 9 insertions, 9 deletions
diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c index 6961a5caf15..a53bc5bea2a 100644 --- a/source/smbd/ipc.c +++ b/source/smbd/ipc.c @@ -764,10 +764,10 @@ void reply_transs(struct smb_request *req) goto bad_param; } - if (ddisp > av_size || + if (doff > av_size || dcnt > av_size || - ddisp+dcnt > av_size || - ddisp+dcnt < ddisp) { + doff+dcnt > av_size || + doff+dcnt < doff) { goto bad_param; } diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c index 13caf77b983..ef814041627 100644 --- a/source/smbd/nttrans.c +++ b/source/smbd/nttrans.c @@ -2853,10 +2853,10 @@ void reply_nttranss(struct smb_request *req) goto bad_param; } - if (ddisp > av_size || + if (doff > av_size || dcnt > av_size || - ddisp+dcnt > av_size || - ddisp+dcnt < ddisp) { + doff+dcnt > av_size || + doff+dcnt < doff) { goto bad_param; } diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c index 13105dce0fc..44ab88d0a44 100644 --- a/source/smbd/trans2.c +++ b/source/smbd/trans2.c @@ -7783,10 +7783,10 @@ void reply_transs2(struct smb_request *req) goto bad_param; } - if (ddisp > av_size || + if (doff > av_size || dcnt > av_size || - ddisp+dcnt > av_size || - ddisp+dcnt < ddisp) { + doff+dcnt > av_size || + doff+dcnt < doff) { goto bad_param; } |