From 9f88f9b24a37b918166bf31569d7e69f9d23632b Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 16 Sep 2019 10:15:05 +0200
Subject: smb: check for full size message before reading message details

To avoid reading of uninitialized data.

Assisted-by: Max Dymond
Bug: https://crbug.com/oss-fuzz/16907
---
 lib/smb.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/smb.c b/lib/smb.c
index f66c05ca4..12f99257f 100644
--- a/lib/smb.c
+++ b/lib/smb.c
@@ -682,7 +682,8 @@ static CURLcode smb_connection_state(struct connectdata *conn, bool *done)
 
   switch(smbc->state) {
   case SMB_NEGOTIATE:
-    if(h->status || smbc->got < sizeof(*nrsp) + sizeof(smbc->challenge) - 1) {
+    if((smbc->got < sizeof(*nrsp) + sizeof(smbc->challenge) - 1) ||
+       h->status) {
       connclose(conn, "SMB: negotiation failed");
       return CURLE_COULDNT_CONNECT;
     }
-- 
cgit v1.2.1