diff options
author | Ralph Wuerthner <ralph.wuerthner@de.ibm.com> | 2013-04-04 13:29:01 +0200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2013-04-17 08:56:03 +0200 |
commit | 284f5790cec980f3d6c6cf740d28a364003e59fc (patch) | |
tree | 1b1770363a14d662b6862f9bbc855c7bc8e4719e /source3 | |
parent | c22b34a9c638ec618a1f680940c14989ba811c18 (diff) | |
download | samba-284f5790cec980f3d6c6cf740d28a364003e59fc.tar.gz |
s3:smbd: do not access data behind req->buf+req->buflen in srvstr_pull_req_talloc()
The last 3 patches address bug #9782 - Panic when running 'smbtorture smb.base'.
Diffstat (limited to 'source3')
-rw-r--r-- | source3/smbd/reply.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 3717f366ee8..c815a5a9dd4 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -346,8 +346,14 @@ size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req, size_t srvstr_pull_req_talloc(TALLOC_CTX *ctx, struct smb_request *req, char **dest, const char *src, int flags) { + ssize_t bufrem = smbreq_bufrem(req, src); + + if (bufrem < 0) { + return 0; + } + return pull_string_talloc(ctx, req->inbuf, req->flags2, dest, src, - smbreq_bufrem(req, src), flags); + bufrem, flags); } /**************************************************************************** |