r6269: With help from Marcel Müller <mueller@maazl.de> in tracking down the bug,

author Jeremy Allison <jra@samba.org>

Sun, 10 Apr 2005 06:57:55 +0000 (06:57 +0000)

committer Gerald (Jerry) Carter <jerry@samba.org>

Wed, 10 Oct 2007 15:56:34 +0000 (10:56 -0500)
author Jeremy Allison <jra@samba.org>
Sun, 10 Apr 2005 06:57:55 +0000 (06:57 +0000)
committer Gerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 15:56:34 +0000 (10:56 -0500)
diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c

index 4dffe870c53a4bc0470d8b1c8b72e382942714b2..a3ffaad24ac92c3a3fdf5e7aeeeafb2b999d6c89 100644 (file)
--- a/source/smbd/nttrans.c
+++ b/source/smbd/nttrans.c
@@ -2946,6 +2946,9 @@ due to being in oplock break state.\n", (unsigned int)function_code ));
  
                         ret = receive_next_smb(inbuf,bufsize,SMB_SECONDARY_WAIT);
  
+                       /* We need to re-calcuate the new length after we've read the secondary packet. */
+                       length = smb_len(inbuf) + 4;
+
                         /*
                          * The sequence number for the trans reply is always
                          * based on the last secondary received.
@@ -2993,7 +2996,7 @@ due to being in oplock break state.\n", (unsigned int)function_code ));
                                         goto bad_param;
                                 if (parameter_displacement > total_parameter_count)
                                         goto bad_param;
-                               if ((smb_base(inbuf) + parameter_offset + parameter_count >= inbuf + bufsize) ||
+                               if ((smb_base(inbuf) + parameter_offset + parameter_count > inbuf + length) ||
                                                 (smb_base(inbuf) + parameter_offset + parameter_count < smb_base(inbuf)))
                                         goto bad_param;
                                 if (parameter_displacement + params < params)
@@ -3010,7 +3013,7 @@ due to being in oplock break state.\n", (unsigned int)function_code ));
                                         goto bad_param;
                                 if (data_displacement > total_data_count)
                                         goto bad_param;
-                               if ((smb_base(inbuf) + data_offset + data_count >= inbuf + bufsize) ||
+                               if ((smb_base(inbuf) + data_offset + data_count > inbuf + length) ||
                                                 (smb_base(inbuf) + data_offset + data_count < smb_base(inbuf)))
                                         goto bad_param;
                                 if (data_displacement + data < data)
diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c

index 1868ce8fe4ae727d9719325b46608c67b53fda38..adc6322ac33110798fb69c2fea0a0a44302cf2ba 100644 (file)
--- a/source/smbd/trans2.c
+++ b/source/smbd/trans2.c
@@ -4885,6 +4885,9 @@ int reply_trans2(connection_struct *conn,
                         unsigned int data_off;
  
                         ret = receive_next_smb(inbuf,bufsize,SMB_SECONDARY_WAIT);
+
+                       /* We need to re-calcuate the new length after we've read the secondary packet. */
+                       length = smb_len(inbuf) + 4;
                         
                         /*
                          * The sequence number for the trans reply is always
@@ -4932,7 +4935,7 @@ int reply_trans2(connection_struct *conn,
                                         goto bad_param;
                                 if (param_disp > total_params)
                                         goto bad_param;
-                               if ((smb_base(inbuf) + param_off + num_params >= inbuf + bufsize) ||
+                               if ((smb_base(inbuf) + param_off + num_params > inbuf + length) ||
                                                 (smb_base(inbuf) + param_off + num_params < smb_base(inbuf)))
                                         goto bad_param;
                                 if (params + param_disp < params)
@@ -4948,7 +4951,7 @@ int reply_trans2(connection_struct *conn,
                                         goto bad_param;
                                 if (data_disp > total_data)
                                         goto bad_param;
-                               if ((smb_base(inbuf) + data_off + num_data >= inbuf + bufsize) ||
+                               if ((smb_base(inbuf) + data_off + num_data > inbuf + length) ||
                                                 (smb_base(inbuf) + data_off + num_data < smb_base(inbuf)))
                                         goto bad_param;
                                 if (data + data_disp < data)
author	Jeremy Allison <jra@samba.org>
	Sun, 10 Apr 2005 06:57:55 +0000 (06:57 +0000)
committer	Gerald (Jerry) Carter <jerry@samba.org>
	Wed, 10 Oct 2007 15:56:34 +0000 (10:56 -0500)
source/smbd/nttrans.c		patch \| blob \| blame \| history
source/smbd/trans2.c		patch \| blob \| blame \| history