From: Stefan Eissing Date: Fri, 10 Oct 2025 09:28:29 +0000 (+0200) Subject: smb: transfer debugassert to real check X-Git-Tag: rc-8_17_0-2~108 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=44429da2e12ec660d000d3e3394900f03d4c3761;p=thirdparty%2Fcurl.git smb: transfer debugassert to real check That also works for non-debug builds. Reported-by: Joshua Rogers Cloes #19003 --- diff --git a/lib/smb.c b/lib/smb.c index f7d06eb490..2aa8e96644 100644 --- a/lib/smb.c +++ b/lib/smb.c @@ -545,7 +545,7 @@ static CURLcode smb_recv_message(struct Curl_easy *data, char *buf = smbc->recv_buf; size_t bytes_read; size_t nbt_size; - size_t msg_size; + size_t msg_size = sizeof(struct smb_header); size_t len = MAX_MESSAGE_SIZE - smbc->got; CURLcode result; @@ -565,10 +565,19 @@ static CURLcode smb_recv_message(struct Curl_easy *data, nbt_size = Curl_read16_be((const unsigned char *) (buf + sizeof(unsigned short))) + sizeof(unsigned int); + if(nbt_size > MAX_MESSAGE_SIZE) { + failf(data, "too large NetBIOS frame size %zu", nbt_size); + return CURLE_RECV_ERROR; + } + else if(nbt_size < msg_size) { + /* Each SMB message must be at least this large, e.g. 32 bytes */ + failf(data, "too small NetBIOS frame size %zu", nbt_size); + return CURLE_RECV_ERROR; + } + if(smbc->got < nbt_size) return CURLE_OK; - msg_size = sizeof(struct smb_header); if(nbt_size >= msg_size + 1) { /* Add the word count */ msg_size += 1 + ((unsigned char) buf[msg_size]) * sizeof(unsigned short); @@ -577,7 +586,7 @@ static CURLcode smb_recv_message(struct Curl_easy *data, msg_size += sizeof(unsigned short) + Curl_read16_le((const unsigned char *)&buf[msg_size]); if(nbt_size < msg_size) - return CURLE_READ_ERROR; + return CURLE_RECV_ERROR; } } @@ -661,7 +670,10 @@ static CURLcode smb_send_message(struct Curl_easy *data, { smb_format_message(smbc, req, (struct smb_header *)smbc->send_buf, cmd, msg_len); - DEBUGASSERT((sizeof(struct smb_header) + msg_len) <= MAX_MESSAGE_SIZE); + if((sizeof(struct smb_header) + msg_len) > MAX_MESSAGE_SIZE) { + DEBUGASSERT(0); + return CURLE_SEND_ERROR; + } memcpy(smbc->send_buf + sizeof(struct smb_header), msg, msg_len); return smb_send(data, smbc, sizeof(struct smb_header) + msg_len, 0);