Changeset 134 for branches/samba-3.0/source/smbd/ipc.c
- Timestamp:
- May 23, 2008, 6:56:41 AM (17 years ago)
- File:
-
- 1 edited
-
branches/samba-3.0/source/smbd/ipc.c (modified) (6 diffs)
Legend:
- Unmodified
- Added
- Removed
-
branches/samba-3.0/source/smbd/ipc.c
r26 r134 435 435 unsigned int psoff = SVAL(inbuf, smb_psoff); 436 436 unsigned int pscnt = SVAL(inbuf, smb_pscnt); 437 unsigned int av_size = size-4; 437 438 struct trans_state *state; 438 439 NTSTATUS result; … … 490 491 /* null-terminate the slack space */ 491 492 memset(&state->data[state->total_data], 0, 100); 492 if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt)) 493 goto bad_param; 494 if ((smb_base(inbuf)+dsoff+dscnt > inbuf + size) || 495 (smb_base(inbuf)+dsoff+dscnt < smb_base(inbuf))) 496 goto bad_param; 493 494 if (dscnt > state->total_data || 495 dsoff+dscnt < dsoff) { 496 goto bad_param; 497 } 498 499 if (dsoff > av_size || 500 dscnt > av_size || 501 dsoff+dscnt > av_size) { 502 goto bad_param; 503 } 497 504 498 505 memcpy(state->data,smb_base(inbuf)+dsoff,dscnt); … … 513 520 /* null-terminate the slack space */ 514 521 memset(&state->param[state->total_param], 0, 100); 515 if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt)) 516 goto bad_param; 517 if ((smb_base(inbuf)+psoff+pscnt > inbuf + size) || 518 (smb_base(inbuf)+psoff+pscnt < smb_base(inbuf))) 519 goto bad_param; 522 523 if (pscnt > state->total_param || 524 psoff+pscnt < psoff) { 525 goto bad_param; 526 } 527 528 if (psoff > av_size || 529 pscnt > av_size || 530 psoff+pscnt > av_size) { 531 goto bad_param; 532 } 520 533 521 534 memcpy(state->param,smb_base(inbuf)+psoff,pscnt); … … 601 614 int outsize = 0; 602 615 unsigned int pcnt,poff,dcnt,doff,pdisp,ddisp; 616 unsigned int av_size = size-4; 603 617 struct trans_state *state; 604 618 NTSTATUS result; … … 644 658 645 659 if (pcnt) { 646 if (pdisp+pcnt > state->total_param) 647 goto bad_param; 648 if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt)) 649 goto bad_param; 650 if (pdisp > state->total_param) 651 goto bad_param; 652 if ((smb_base(inbuf) + poff + pcnt > inbuf + size) || 653 (smb_base(inbuf) + poff + pcnt < smb_base(inbuf))) 654 goto bad_param; 655 if (state->param + pdisp < state->param) 656 goto bad_param; 660 if (pdisp > state->total_param || 661 pcnt > state->total_param || 662 pdisp+pcnt > state->total_param || 663 pdisp+pcnt < pdisp) { 664 goto bad_param; 665 } 666 667 if (poff > av_size || 668 pcnt > av_size || 669 poff+pcnt > av_size || 670 poff+pcnt < poff) { 671 goto bad_param; 672 } 657 673 658 674 memcpy(state->param+pdisp,smb_base(inbuf)+poff, … … 661 677 662 678 if (dcnt) { 663 if (ddisp+dcnt > state->total_data) 664 goto bad_param; 665 if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt)) 666 goto bad_param; 667 if (ddisp > state->total_data) 668 goto bad_param; 669 if ((smb_base(inbuf) + doff + dcnt > inbuf + size) || 670 (smb_base(inbuf) + doff + dcnt < smb_base(inbuf))) 671 goto bad_param; 672 if (state->data + ddisp < state->data) 673 goto bad_param; 679 if (ddisp > state->total_data || 680 dcnt > state->total_data || 681 ddisp+dcnt > state->total_data || 682 ddisp+dcnt < ddisp) { 683 goto bad_param; 684 } 685 686 if (ddisp > av_size || 687 dcnt > av_size || 688 ddisp+dcnt > av_size || 689 ddisp+dcnt < ddisp) { 690 goto bad_param; 691 } 674 692 675 693 memcpy(state->data+ddisp, smb_base(inbuf)+doff,
Note:
See TracChangeset
for help on using the changeset viewer.
