From: Jeremy Allison <jra@samba.org>
Date: Wed, 3 Jul 2019 19:15:56 +0000 (-0700)
Subject: s3: smbd: SMB1 add range checks to reply_fclose().
X-Git-Tag: samba-4.11.0rc1~94
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4a9d46dafb32b02099e0d790c583876f412ac1c1;p=thirdparty%2Fsamba.git

s3: smbd: SMB1 add range checks to reply_fclose().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Jul  4 15:40:31 UTC 2019 on sn-devel-184
---

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index d04ff8ec8b7..87729b23a83 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -2083,6 +2083,13 @@ void reply_fclose(struct smb_request *req)
 		END_PROFILE(SMBfclose);
 		return;
 	}
+
+	if (smbreq_bufrem(req, p) < 3) {
+		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+		END_PROFILE(SMBfclose);
+		return;
+	}
+
 	p++;
 	status_len = SVAL(p,0);
 	p += 2;
@@ -2093,6 +2100,12 @@ void reply_fclose(struct smb_request *req)
 		return;
 	}
 
+	if (smbreq_bufrem(req, p) < 21) {
+		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+		END_PROFILE(SMBfclose);
+		return;
+	}
+
 	memcpy(status,p,21);
 
 	if(dptr_fetch(sconn, status+12,&dptr_num)) {