diff options
author | Volker Lendecke <vl@samba.org> | 2008-11-08 17:14:06 +0100 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2008-11-17 15:47:12 +0100 |
commit | 64a1d80851da5b05e70ec6c96f6e9bd473748369 (patch) | |
tree | 7875d7711286fff2cf708519dbeff2fff6cdafaf /source/smbd/ipc.c | |
parent | 60a639b1ac6c88f3a5ef1fe111860eb4b89b3a7d (diff) | |
download | samba-64a1d80851da5b05e70ec6c96f6e9bd473748369.tar.gz samba-64a1d80851da5b05e70ec6c96f6e9bd473748369.tar.xz samba-64a1d80851da5b05e70ec6c96f6e9bd473748369.zip |
Fix the offset checks in the trans routines
This fixes a potential crash bug, a client can make us read memory we
should not read. Luckily I got the disp checks right...
Volker
Diffstat (limited to 'source/smbd/ipc.c')
-rw-r--r-- | source/smbd/ipc.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c index 6961a5caf15..a53bc5bea2a 100644 --- a/source/smbd/ipc.c +++ b/source/smbd/ipc.c @@ -764,10 +764,10 @@ void reply_transs(struct smb_request *req) goto bad_param; } - if (ddisp > av_size || + if (doff > av_size || dcnt > av_size || - ddisp+dcnt > av_size || - ddisp+dcnt < ddisp) { + doff+dcnt > av_size || + doff+dcnt < doff) { goto bad_param; } |