From: Jeremy Allison <jra@samba.org>
Date: Wed, 3 Jul 2019 19:13:59 +0000 (-0700)
Subject: s3: smbd: SMB1 add range checks to reply_search().
X-Git-Tag: samba-4.11.0rc1~95
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=522fe23612487995039cc1379caacdec001a5332;p=thirdparty%2Fsamba.git

s3: smbd: SMB1 add range checks to reply_search().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 20e1468f748..d04ff8ec8b7 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -1801,6 +1801,11 @@ void reply_search(struct smb_request *req)
 		goto out;
 	}
 
+	if (smbreq_bufrem(req, p) < 3) {
+		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+		goto out;
+	}
+
 	p++;
 	status_len = SVAL(p, 0);
 	p += 2;
@@ -1880,6 +1885,11 @@ void reply_search(struct smb_request *req)
 		int status_dirtype;
 		const char *dirpath;
 
+		if (smbreq_bufrem(req, p) < 21) {
+			reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+			goto out;
+		}
+
 		memcpy(status,p,21);
 		status_dirtype = CVAL(status,0) & 0x1F;
 		if (status_dirtype != (dirtype & 0x1F)) {