Fixed range check on writeX.

Jeremy.
author: Jeremy Allison <jra@samba.org> 2000-04-27 17:14:45 +0000
committer: Jeremy Allison <jra@samba.org> 2000-04-27 17:14:45 +0000
commit: 9cde198108439358e99128fa9a1b3000e33f5414 (patch)
tree: 7b5d5fe11786ecb457ec57a29a8f6baab2cc2dbc /source/smbd/reply.c
parent: 4a4b7a994bbe327216f736133edc51cf9a351716 (diff)
download: samba-9cde198108439358e99128fa9a1b3000e33f5414.tar.gz
samba-9cde198108439358e99128fa9a1b3000e33f5414.tar.xz
samba-9cde198108439358e99128fa9a1b3000e33f5414.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/source/smbd/reply.c b/source/smbd/reply.c
index 4134df221e7..41c6dcb143a 100644
--- a/source/smbd/reply.c
+++ b/source/smbd/reply.c
@@ -2545,7 +2545,7 @@ int reply_write_and_X(connection_struct *conn, char *inbuf,char *outbuf,int leng
   size_t numtowrite = SVAL(inbuf,smb_vwv10);
   BOOL write_through = BITSETW(inbuf+smb_vwv7,0);
   ssize_t nwritten = -1;
-  int smb_doff = SVAL(inbuf,smb_vwv11);
+  unsigned int smb_doff = SVAL(inbuf,smb_vwv11);
   char *data;
 
   /* If it's an IPC, pass off the pipe handler. */
@@ -2556,6 +2556,9 @@ int reply_write_and_X(connection_struct *conn, char *inbuf,char *outbuf,int leng
   CHECK_WRITE(fsp);
   CHECK_ERROR(fsp);
 
+  if(smb_doff > smb_len(inbuf))
+    return(ERROR(ERRDOS,ERRbadmem));
+
   data = smb_base(inbuf) + smb_doff;
 
   if(CVAL(inbuf,smb_wct) == 14) {
author	Jeremy Allison <jra@samba.org>	2000-04-27 17:14:45 +0000
committer	Jeremy Allison <jra@samba.org>	2000-04-27 17:14:45 +0000
commit	9cde198108439358e99128fa9a1b3000e33f5414 (patch)
tree	7b5d5fe11786ecb457ec57a29a8f6baab2cc2dbc /source/smbd/reply.c
parent	4a4b7a994bbe327216f736133edc51cf9a351716 (diff)
download	samba-9cde198108439358e99128fa9a1b3000e33f5414.tar.gz samba-9cde198108439358e99128fa9a1b3000e33f5414.tar.xz samba-9cde198108439358e99128fa9a1b3000e33f5414.zip