17
|
1 |
diff --git a/source/smbd/process.c b/source/smbd/process.c
|
|
2 |
index e861e16..6499bc7 100644
|
|
3 |
--- a/source/smbd/process.c
|
|
4 |
+++ b/source/smbd/process.c
|
|
5 |
@@ -1159,6 +1159,7 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize)
|
|
6 |
{
|
|
7 |
static char *orig_inbuf;
|
|
8 |
static char *orig_outbuf;
|
|
9 |
+ static int orig_size;
|
|
10 |
int smb_com1, smb_com2 = CVAL(inbuf,smb_vwv0);
|
|
11 |
unsigned smb_off2 = SVAL(inbuf,smb_vwv1);
|
|
12 |
char *inbuf2, *outbuf2;
|
|
13 |
@@ -1178,6 +1179,13 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize)
|
|
14 |
/* this is the first part of the chain */
|
|
15 |
orig_inbuf = inbuf;
|
|
16 |
orig_outbuf = outbuf;
|
|
17 |
+ orig_size = size;
|
|
18 |
+ }
|
|
19 |
+
|
|
20 |
+ /* Validate smb_off2 */
|
|
21 |
+ if ((smb_off2 < smb_wct - 4) || orig_size < (smb_off2 + 4 - smb_wct)) {
|
|
22 |
+ exit_server_cleanly("Bad chained packet");
|
|
23 |
+ return -1;
|
|
24 |
}
|
|
25 |
|
|
26 |
/*
|
|
27 |
@@ -1192,6 +1200,11 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize)
|
|
28 |
SSVAL(outbuf,smb_vwv1,smb_offset(outbuf+outsize,outbuf));
|
|
29 |
SCVAL(outbuf,smb_vwv0,smb_com2);
|
|
30 |
|
|
31 |
+ if (outsize <= smb_wct) {
|
|
32 |
+ exit_server_cleanly("Bad chained packet");
|
|
33 |
+ return -1;
|
|
34 |
+ }
|
|
35 |
+
|
|
36 |
/* remember how much the caller added to the chain, only counting stuff
|
|
37 |
after the parameter words */
|
|
38 |
chain_size += outsize - smb_wct;
|