diff options
| author | Jeremy Allison <jra@samba.org> | 2003-10-16 20:44:43 +0000 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2003-10-16 20:44:43 +0000 |
| commit | 41d1870a51c259f0cf17caf59928a3b38b21ea11 (patch) | |
| tree | 2af247f23e449a5272e4ac20a1f805197a0eb510 /source/smbd/ipc.c | |
| parent | 5332af1124077f49e84836f5cedfbde98336b142 (diff) | |
| download | samba-41d1870a51c259f0cf17caf59928a3b38b21ea11.tar.gz samba-41d1870a51c259f0cf17caf59928a3b38b21ea11.tar.xz samba-41d1870a51c259f0cf17caf59928a3b38b21ea11.zip | |
Tidyup wrap checking.
Jeremy.
Diffstat (limited to 'source/smbd/ipc.c')
| -rw-r--r-- | source/smbd/ipc.c | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c index 39072f9b912..9bdd02b0593 100644 --- a/source/smbd/ipc.c +++ b/source/smbd/ipc.c @@ -388,7 +388,8 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int } if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt)) goto bad_param; - if (smb_base(inbuf)+dsoff+dscnt > inbuf + size) + if ((smb_base(inbuf)+dsoff+dscnt > inbuf + size) || + (smb_base(inbuf)+dsoff+dscnt < smb_base(inbuf))) goto bad_param; memcpy(data,smb_base(inbuf)+dsoff,dscnt); @@ -402,8 +403,9 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int return(ERROR_DOS(ERRDOS,ERRnomem)); } if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt)) - goto bad_param; - if (smb_base(inbuf)+psoff+pscnt > inbuf + size) + goto bad_param; + if ((smb_base(inbuf)+psoff+pscnt > inbuf + size) || + (smb_base(inbuf)+psoff+pscnt < smb_base(inbuf))); goto bad_param; memcpy(params,smb_base(inbuf)+psoff,pscnt); @@ -487,8 +489,11 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int if (pdisp+pcnt >= tpscnt) goto bad_param; if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt)) - goto bad_param; - if (smb_base(inbuf) + poff + pcnt >= inbuf + bufsize) + goto bad_param; + if (pdisp > tpscnt) + goto bad_param; + if ((smb_base(inbuf) + poff + pcnt >= inbuf + bufsize) || + (smb_base(inbuf) + poff + pcnt < smb_base(inbuf))) goto bad_param; if (params + pdisp < params) goto bad_param; @@ -501,7 +506,10 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int goto bad_param; if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt)) goto bad_param; - if (smb_base(inbuf) + doff + dcnt >= inbuf + bufsize) + if (ddisp > tdscnt) + goto bad_param; + if ((smb_base(inbuf) + doff + dcnt >= inbuf + bufsize) || + (smb_base(inbuf) + doff + dcnt < smb_base(inbuf))) goto bad_param; if (data + ddisp < data) goto bad_param; |