s3:smbd: do not access data behind req->buf+req->buflen in srvstr_pull_req_talloc()

The last 3 patches address bug #9782 - Panic when running 'smbtorture smb.base'.
author: Ralph Wuerthner <ralph.wuerthner@de.ibm.com> 2013-04-04 13:29:01 +0200
committer: Karolin Seeger <kseeger@samba.org> 2013-04-17 08:56:03 +0200
commit: 284f5790cec980f3d6c6cf740d28a364003e59fc (patch)
tree: 1b1770363a14d662b6862f9bbc855c7bc8e4719e /source3
parent: c22b34a9c638ec618a1f680940c14989ba811c18 (diff)
download: samba-284f5790cec980f3d6c6cf740d28a364003e59fc.tar.gz
1 files changed, 7 insertions, 1 deletions
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 3717f366ee8..c815a5a9dd4 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -346,8 +346,14 @@ size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req,
 size_t srvstr_pull_req_talloc(TALLOC_CTX *ctx, struct smb_request *req,
 			      char **dest, const char *src, int flags)
 {
+	ssize_t bufrem = smbreq_bufrem(req, src);
+
+	if (bufrem < 0) {
+		return 0;
+	}
+
 	return pull_string_talloc(ctx, req->inbuf, req->flags2, dest, src,
-				  smbreq_bufrem(req, src), flags);
+				  bufrem, flags);
 }
 
 /****************************************************************************
author	Ralph Wuerthner <ralph.wuerthner@de.ibm.com>	2013-04-04 13:29:01 +0200
committer	Karolin Seeger <kseeger@samba.org>	2013-04-17 08:56:03 +0200
commit	284f5790cec980f3d6c6cf740d28a364003e59fc (patch)
tree	1b1770363a14d662b6862f9bbc855c7bc8e4719e /source3
parent	c22b34a9c638ec618a1f680940c14989ba811c18 (diff)
download	samba-284f5790cec980f3d6c6cf740d28a364003e59fc.tar.gz