summaryrefslogtreecommitdiff
path: root/lib/smb.c
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2019-09-16 10:15:05 +0200
committerDaniel Stenberg <daniel@haxx.se>2019-09-16 14:16:06 +0200
commit6de10536928d212387cc22fbf6e9793f260fc390 (patch)
tree6e9f108a9ce1132a4bc383e053763bdec6c4596f /lib/smb.c
parent00da834156a4b3d7c71cbe21964d053be0db2f57 (diff)
downloadcurl-6de10536928d212387cc22fbf6e9793f260fc390.tar.gz
smb: check for full size message before reading message details
To avoid reading of uninitialized data. Assisted-by: Max Dymond Bug: https://crbug.com/oss-fuzz/16907 Closes #4363
Diffstat (limited to 'lib/smb.c')
-rw-r--r--lib/smb.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/smb.c b/lib/smb.c
index f66c05ca4..12f99257f 100644
--- a/lib/smb.c
+++ b/lib/smb.c
@@ -682,7 +682,8 @@ static CURLcode smb_connection_state(struct connectdata *conn, bool *done)
switch(smbc->state) {
case SMB_NEGOTIATE:
- if(h->status || smbc->got < sizeof(*nrsp) + sizeof(smbc->challenge) - 1) {
+ if((smbc->got < sizeof(*nrsp) + sizeof(smbc->challenge) - 1) ||
+ h->status) {
connclose(conn, "SMB: negotiation failed");
return CURLE_COULDNT_CONNECT;
}