From: Jeremy Allison <jra@samba.org>
Date: Sat, 19 May 2007 01:27:34 +0000 (+0000)
Subject: r23007: Ensure we don't allow large read over the possible
X-Git-Tag: samba-4.0.0alpha6~801^2~5833
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=63e74f305920a44606d1b0380c605e00fca14940;p=thirdparty%2Fsamba.git

r23007: Ensure we don't allow large read over the possible
packet size.
Jeremy.
(This used to be commit 5d465dd2d559df29d18a844137c8e14ffbb1a269)
---

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 24fff5da52d..c71c7b8beae 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -2718,6 +2718,10 @@ int reply_read_and_X(connection_struct *conn, char *inbuf,char *outbuf,int lengt
 			if (srv_is_signing_active() || srv_encryption_on()) {
 				return ERROR_NT(NT_STATUS_NOT_SUPPORTED);
 			}
+			/* Is there room in the reply for this data ? */
+			if (smb_maxcnt > (0xFFFFFF - (smb_size -4 + 12*2)))  {
+				return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+			}
 			big_readX = True;
 		}
 	}