Fix the offset checks in the trans routines

This fixes a potential crash bug, a client can make us read memory we
should not read. Luckily I got the disp checks right...

Volker

diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c
index f7b7c3132bdd3329631fe59c6f7f568f71fe389c..43f0d69f2430aa61b293328f43fcedee61ca2162 100644 (file)
--- a/source/smbd/ipc.c
+++ b/source/smbd/ipc.c
@@ -680,13 +680,13 @@ int reply_transs(connection_struct *conn, char *inbuf,char *outbuf,
                                dcnt > state->total_data ||
                                ddisp+dcnt > state->total_data ||
                                ddisp+dcnt < ddisp) {
-                       goto bad_param; 
+                       goto bad_param;
                }
 
-               if (ddisp > av_size ||
+               if (doff > av_size ||
                                dcnt > av_size ||
-                               ddisp+dcnt > av_size ||
-                               ddisp+dcnt < ddisp) {
+                               doff+dcnt > av_size ||
+                               doff+dcnt < doff) {
                        goto bad_param;
                }
 

diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c
index b40ea9edca16100109cf66331c52b4179f20d2c3..2b9d5daa4fd0fb5ac098f53ab80185ed7390c8b1 100644 (file)
--- a/source/smbd/nttrans.c
+++ b/source/smbd/nttrans.c
@@ -3228,10 +3228,10 @@ int reply_nttranss(connection_struct *conn,  char *inbuf,char *outbuf,
                        goto bad_param;
                }
 
-               if (ddisp > av_size ||
+               if (doff > av_size ||
                                dcnt > av_size ||
-                               ddisp+dcnt > av_size ||
-                               ddisp+dcnt < ddisp) {
+                               doff+dcnt > av_size ||
+                               doff+dcnt < doff) {
                        goto bad_param;
                }
 

diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c
index 30c84bf6615ae1c4aea5188aafa3710085f7455f..9daef90115fb893d5c4a1de5325167631adbae07 100644 (file)
--- a/source/smbd/trans2.c
+++ b/source/smbd/trans2.c
@@ -6822,10 +6822,10 @@ int reply_transs2(connection_struct *conn,
                        goto bad_param;
                }
 
-               if (ddisp > av_size ||
+               if (doff > av_size ||
                                dcnt > av_size ||
-                               ddisp+dcnt > av_size ||
-                               ddisp+dcnt < ddisp) {
+                               doff+dcnt > av_size ||
+                               doff+dcnt < doff) {
                        goto bad_param;
                }