diff options
author | Daniel Stenberg <daniel@haxx.se> | 2019-09-16 10:15:05 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2019-09-16 14:16:06 +0200 |
commit | 6de10536928d212387cc22fbf6e9793f260fc390 (patch) | |
tree | 6e9f108a9ce1132a4bc383e053763bdec6c4596f /lib/smb.c | |
parent | 00da834156a4b3d7c71cbe21964d053be0db2f57 (diff) | |
download | curl-6de10536928d212387cc22fbf6e9793f260fc390.tar.gz |
smb: check for full size message before reading message details
To avoid reading of uninitialized data.
Assisted-by: Max Dymond
Bug: https://crbug.com/oss-fuzz/16907
Closes #4363
Diffstat (limited to 'lib/smb.c')
-rw-r--r-- | lib/smb.c | 3 |
1 files changed, 2 insertions, 1 deletions
@@ -682,7 +682,8 @@ static CURLcode smb_connection_state(struct connectdata *conn, bool *done) switch(smbc->state) { case SMB_NEGOTIATE: - if(h->status || smbc->got < sizeof(*nrsp) + sizeof(smbc->challenge) - 1) { + if((smbc->got < sizeof(*nrsp) + sizeof(smbc->challenge) - 1) || + h->status) { connclose(conn, "SMB: negotiation failed"); return CURLE_COULDNT_CONNECT; } |