s3:smbd: reject a MaxBufferSize < SMB_BUFFER_SIZE_MIN (500) in a session setup request

This makes sure sconn->smb1.sessions.max_send is always >= SMB_BUFFER_SIZE_MIN.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10422
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

1 files changed, 13 insertions, 6 deletions

diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 02cb4458f61..4b86a99522f 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -383,10 +383,13 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
 		}
 
 		if (!sconn->smb1.sessions.done_sesssetup) {
-			sconn->smb1.sessions.max_send =
-				MIN(sconn->smb1.sessions.max_send,smb_bufsize);
+			if (smb_bufsize < SMB_BUFFER_SIZE_MIN) {
+				reply_force_doserror(req, ERRSRV, ERRerror);
+				return;
+			}
+			sconn->smb1.sessions.max_send = smb_bufsize;
+			sconn->smb1.sessions.done_sesssetup = true;
 		}
-		sconn->smb1.sessions.done_sesssetup = true;
 
 		/* current_user_info is changed on new vuid */
 		reload_services(sconn, conn_snum_used, true);
@@ -1088,10 +1091,14 @@ void reply_sesssetup_and_X(struct smb_request *req)
 	req->vuid = sess_vuid;
 
 	if (!sconn->smb1.sessions.done_sesssetup) {
-		sconn->smb1.sessions.max_send =
-			MIN(sconn->smb1.sessions.max_send,smb_bufsize);
+		if (smb_bufsize < SMB_BUFFER_SIZE_MIN) {
+			reply_force_doserror(req, ERRSRV, ERRerror);
+			END_PROFILE(SMBsesssetupX);
+			return;
+		}
+		sconn->smb1.sessions.max_send = smb_bufsize;
+		sconn->smb1.sessions.done_sesssetup = true;
 	}
-	sconn->smb1.sessions.done_sesssetup = true;
 
 	END_PROFILE(SMBsesssetupX);
 }