From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 18 Sep 2025 12:49:09 +0000 (+0200)
Subject: smb: adjust buffer size checks
X-Git-Tag: rc-8_17_0-1~359
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5cc2b8344675140efc660d7a67958274c9caf590;p=thirdparty%2Fcurl.git

smb: adjust buffer size checks

The checks did not account for the **two byte** 16bit read so risked
reading one more byte than what actually was received.

Reported-by: Joshua Rogers

Closes #18599
---

diff --git a/lib/smb.c b/lib/smb.c
index 81cf6e7cc1..bf02119ea1 100644
--- a/lib/smb.c
+++ b/lib/smb.c
@@ -1104,7 +1104,7 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done)
     break;
 
   case SMB_DOWNLOAD:
-    if(h->status || smbc->got < sizeof(struct smb_header) + 14) {
+    if(h->status || smbc->got < sizeof(struct smb_header) + 15) {
       req->result = CURLE_RECV_ERROR;
       next_state = SMB_CLOSE;
       break;
@@ -1133,7 +1133,7 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done)
     break;
 
   case SMB_UPLOAD:
-    if(h->status || smbc->got < sizeof(struct smb_header) + 6) {
+    if(h->status || smbc->got < sizeof(struct smb_header) + 7) {
       req->result = CURLE_UPLOAD_FAILED;
       next_state = SMB_CLOSE;
       break;