smb: reject negative file sizes

Assisted-by: Max Dymond

Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8245

1 files changed, 10 insertions, 4 deletions

diff --git a/lib/smb.c b/lib/smb.c
index b4326341e..9ac61505c 100644
--- a/lib/smb.c
+++ b/lib/smb.c
@@ -790,10 +790,16 @@ static CURLcode smb_request_state(struct connectdata *conn, bool *done)
     else {
       smb_m = (const struct smb_nt_create_response*) msg;
       conn->data->req.size = smb_swap64(smb_m->end_of_file);
-      Curl_pgrsSetDownloadSize(conn->data, conn->data->req.size);
-      if(conn->data->set.get_filetime)
-        get_posix_time(&conn->data->info.filetime, smb_m->last_change_time);
-      next_state = SMB_DOWNLOAD;
+      if(conn->data->req.size < 0) {
+        req->result = CURLE_WEIRD_SERVER_REPLY;
+        next_state = SMB_CLOSE;
+      }
+      else {
+        Curl_pgrsSetDownloadSize(conn->data, conn->data->req.size);
+        if(conn->data->set.get_filetime)
+          get_posix_time(&conn->data->info.filetime, smb_m->last_change_time);
+        next_state = SMB_DOWNLOAD;
+      }
     }
     break;