From 9818b31167531f41cbf08fccf89d60ca128c3d4d Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Tue, 27 Aug 2013 09:36:03 +0000
Subject: smbd: Correctly return INFO_LENGTH_MISMATCH in smb2_getinfo

We have to return this error if the client offered less than the fixed
portion of the infolevel data requires

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 91939614760837b2ac2c6bb8b5daac108a4f4670)
---
 source3/smbd/smb2_getinfo.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/source3/smbd/smb2_getinfo.c b/source3/smbd/smb2_getinfo.c
index 91595d53cb8..714a6bdf08b 100644
--- a/source3/smbd/smb2_getinfo.c
+++ b/source3/smbd/smb2_getinfo.c
@@ -383,6 +383,12 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx,
 			tevent_req_nterror(req, status);
 			return tevent_req_post(req, ev);
 		}
+		if (in_output_buffer_length < fixed_portion) {
+			SAFE_FREE(data);
+			tevent_req_nterror(
+				req, NT_STATUS_INFO_LENGTH_MISMATCH);
+			return tevent_req_post(req, ev);
+		}
 		if (data_size > 0) {
 			state->out_output_buffer = data_blob_talloc(state,
 								    data,
@@ -425,6 +431,12 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx,
 			tevent_req_nterror(req, status);
 			return tevent_req_post(req, ev);
 		}
+		if (in_output_buffer_length < fixed_portion) {
+			SAFE_FREE(data);
+			tevent_req_nterror(
+				req, NT_STATUS_INFO_LENGTH_MISMATCH);
+			return tevent_req_post(req, ev);
+		}
 		if (data_size > 0) {
 			state->out_output_buffer = data_blob_talloc(state,
 								    data,
-- 
cgit v1.2.1