From: Jason Ish <ish@unx.ca>
Date: Thu, 28 Apr 2016 21:09:18 +0000 (-0600)
Subject: smb: check that there is enough input data
X-Git-Tag: suricata-3.1RC1~205
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dd86ac07f71d593f16244710ebd8fec3b4e48277;p=thirdparty%2Fsuricata.git

smb: check that there is enough input data

Conditional was checking the word count, but indexing
much further into the input data.
---

diff --git a/src/app-layer-smb.c b/src/app-layer-smb.c
index 561d283f35..11c8539e8e 100644
--- a/src/app-layer-smb.c
+++ b/src/app-layer-smb.c
@@ -414,7 +414,7 @@ static uint32_t SMBParseTransact(Flow *f, void *smb_state,
     switch (sstate->andx.andxbytesprocessed) {
         case 0:
             sstate->andx.paddingparsed = 0;
-            if (input_len >= sstate->wordcount.wordcount) {
+            if (input_len >= 26) {
                 sstate->andx.datalength = *(p + 22);
                 sstate->andx.datalength |= *(p + 23) << 8;
                 sstate->andx.dataoffset = *(p + 24);
@@ -423,8 +423,8 @@ static uint32_t SMBParseTransact(Flow *f, void *smb_state,
                 sstate->andx.datalength |= (uint64_t) *(p + 15) << 48;
                 sstate->andx.datalength |= (uint64_t) *(p + 16) << 40;
                 sstate->andx.datalength |= (uint64_t) *(p + 17) << 32;
-                sstate->bytesprocessed += sstate->wordcount.wordcount;
-                sstate->andx.andxbytesprocessed += sstate->wordcount.wordcount;
+                sstate->bytesprocessed += 26;
+                sstate->andx.andxbytesprocessed += 26;
                 SCReturnUInt(sstate->wordcount.wordcount);
             } else {
                 /* total parameter count 1 */