r3936: Ensure LARGE_READX response must fit within reply buffer.

author Jeremy Allison <jra@samba.org>

Wed, 24 Nov 2004 05:24:38 +0000 (05:24 +0000)

committer Gerald (Jerry) Carter <jerry@samba.org>

Wed, 10 Oct 2007 15:53:25 +0000 (10:53 -0500)
author Jeremy Allison <jra@samba.org>
Wed, 24 Nov 2004 05:24:38 +0000 (05:24 +0000)
committer Gerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 15:53:25 +0000 (10:53 -0500)
diff --git a/source/smbd/reply.c b/source/smbd/reply.c

index 5d493d871631603afc02e3f4cc160aaa01a28a1d..a3bb41257859aae9a5b2437425f6b248aed099f7 100644 (file)
--- a/source/smbd/reply.c
+++ b/source/smbd/reply.c
@@ -2186,6 +2186,12 @@ int reply_read_and_X(connection_struct *conn, char *inbuf,char *outbuf,int lengt
  
         if (global_client_caps & CAP_LARGE_READX) {
                 smb_maxcnt |= ((((size_t)SVAL(inbuf,smb_vwv7)) & 1 )<<16);
+               if (smb_maxcnt > BUFFER_SIZE) {
+                       DEBUG(0,("reply_read_and_X - read too large (%u) for reply buffer %u\n",
+                               (unsigned int)smb_maxcnt, (unsigned int)BUFFER_SIZE));
+                       END_PROFILE(SMBreadX);
+                       return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+               }
         }
  
         if(CVAL(inbuf,smb_wct) == 12) {
author	Jeremy Allison <jra@samba.org>
	Wed, 24 Nov 2004 05:24:38 +0000 (05:24 +0000)
committer	Gerald (Jerry) Carter <jerry@samba.org>
	Wed, 10 Oct 2007 15:53:25 +0000 (10:53 -0500)