Changeset 134 for branches/samba-3.0/source/smbd/trans2.c
- Timestamp:
- May 23, 2008, 6:56:41 AM (17 years ago)
- File:
-
- 1 edited
-
branches/samba-3.0/source/smbd/trans2.c (modified) (6 diffs)
Legend:
- Unmodified
- Added
- Removed
-
branches/samba-3.0/source/smbd/trans2.c
r124 r134 6594 6594 unsigned int pscnt = SVAL(inbuf, smb_pscnt); 6595 6595 unsigned int tran_call = SVAL(inbuf, smb_setup0); 6596 unsigned int av_size = size-4; 6596 6597 struct trans_state *state; 6597 6598 NTSTATUS result; … … 6675 6676 return(ERROR_DOS(ERRDOS,ERRnomem)); 6676 6677 } 6677 if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt)) 6678 6679 if (dscnt > state->total_data || 6680 dsoff+dscnt < dsoff) { 6678 6681 goto bad_param; 6679 if ((smb_base(inbuf)+dsoff+dscnt > inbuf + size) || 6680 (smb_base(inbuf)+dsoff+dscnt < smb_base(inbuf))) 6681 goto bad_param; 6682 } 6683 6684 if (dsoff > av_size || 6685 dscnt > av_size || 6686 dsoff+dscnt > av_size) { 6687 goto bad_param; 6688 } 6682 6689 6683 6690 memcpy(state->data,smb_base(inbuf)+dsoff,dscnt); … … 6696 6703 return(ERROR_DOS(ERRDOS,ERRnomem)); 6697 6704 } 6698 if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt)) 6705 6706 if (pscnt > state->total_param || 6707 psoff+pscnt < psoff) { 6699 6708 goto bad_param; 6700 if ((smb_base(inbuf)+psoff+pscnt > inbuf + size) || 6701 (smb_base(inbuf)+psoff+pscnt < smb_base(inbuf))) 6709 } 6710 6711 if (psoff > av_size || 6712 pscnt > av_size || 6713 psoff+pscnt > av_size) { 6702 6714 goto bad_param; 6715 } 6703 6716 6704 6717 memcpy(state->param,smb_base(inbuf)+psoff,pscnt); … … 6749 6762 int outsize = 0; 6750 6763 unsigned int pcnt,poff,dcnt,doff,pdisp,ddisp; 6764 unsigned int av_size = size-4; 6751 6765 struct trans_state *state; 6752 6766 … … 6791 6805 6792 6806 if (pcnt) { 6793 if (pdisp+pcnt > state->total_param) 6807 if (pdisp > state->total_param || 6808 pcnt > state->total_param || 6809 pdisp+pcnt > state->total_param || 6810 pdisp+pcnt < pdisp) { 6794 6811 goto bad_param; 6795 if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt)) 6812 } 6813 6814 if (poff > av_size || 6815 pcnt > av_size || 6816 poff+pcnt > av_size || 6817 poff+pcnt < poff) { 6796 6818 goto bad_param; 6797 if (pdisp > state->total_param) 6798 goto bad_param; 6799 if ((smb_base(inbuf) + poff + pcnt > inbuf + size) || 6800 (smb_base(inbuf) + poff + pcnt < smb_base(inbuf))) 6801 goto bad_param; 6802 if (state->param + pdisp < state->param) 6803 goto bad_param; 6819 } 6804 6820 6805 6821 memcpy(state->param+pdisp,smb_base(inbuf)+poff, … … 6808 6824 6809 6825 if (dcnt) { 6810 if (ddisp+dcnt > state->total_data) 6826 if (ddisp > state->total_data || 6827 dcnt > state->total_data || 6828 ddisp+dcnt > state->total_data || 6829 ddisp+dcnt < ddisp) { 6811 6830 goto bad_param; 6812 if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt)) 6831 } 6832 6833 if (ddisp > av_size || 6834 dcnt > av_size || 6835 ddisp+dcnt > av_size || 6836 ddisp+dcnt < ddisp) { 6813 6837 goto bad_param; 6814 if (ddisp > state->total_data) 6815 goto bad_param; 6816 if ((smb_base(inbuf) + doff + dcnt > inbuf + size) || 6817 (smb_base(inbuf) + doff + dcnt < smb_base(inbuf))) 6818 goto bad_param; 6819 if (state->data + ddisp < state->data) 6820 goto bad_param; 6838 } 6821 6839 6822 6840 memcpy(state->data+ddisp, smb_base(inbuf)+doff,
Note:
See TracChangeset
for help on using the changeset viewer.
