From 8e63a72ec1e9ea9efcbcdf156274afaed9a4b2ea Mon Sep 17 00:00:00 2001 From: David Disseldorp Date: Tue, 15 Jan 2013 17:23:12 +0100 Subject: [PATCH] smb2_ioctl: copychunk request max output validation Check that the copychunk ioctl request maximum output specified by the client is large enough to hold copychunk response data. Reviewed by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Thu Jan 17 00:59:44 CET 2013 on sn-devel-104 --- source3/smbd/smb2_ioctl_network_fs.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/source3/smbd/smb2_ioctl_network_fs.c b/source3/smbd/smb2_ioctl_network_fs.c index 8341f2b327d..76625ab5104 100644 --- a/source3/smbd/smb2_ioctl_network_fs.c +++ b/source3/smbd/smb2_ioctl_network_fs.c @@ -175,6 +175,7 @@ static struct tevent_req *fsctl_srv_copychunk_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct files_struct *dst_fsp, DATA_BLOB *in_input, + size_t in_max_output, struct smbd_smb2_request *smb2req) { struct tevent_req *req; @@ -192,6 +193,16 @@ static struct tevent_req *fsctl_srv_copychunk_send(TALLOC_CTX *mem_ctx, return NULL; } state->conn = dst_fsp->conn; + + if (in_max_output < sizeof(struct srv_copychunk_rsp)) { + DEBUG(3, ("max output %d not large enough to hold copy chunk " + "response %lu\n", (int)in_max_output, + sizeof(struct srv_copychunk_rsp))); + state->status = NT_STATUS_INVALID_PARAMETER; + tevent_req_nterror(req, state->status); + return tevent_req_post(req, ev); + } + ndr_ret = ndr_pull_struct_blob(in_input, mem_ctx, &cc_copy, (ndr_pull_flags_fn_t)ndr_pull_srv_copychunk_copy); if (ndr_ret != NDR_ERR_SUCCESS) { @@ -515,6 +526,7 @@ struct tevent_req *smb2_ioctl_network_fs(uint32_t ctl_code, case FSCTL_SRV_COPYCHUNK: subreq = fsctl_srv_copychunk_send(state, ev, state->fsp, &state->in_input, + state->in_max_output, state->smb2req); if (tevent_req_nomem(subreq, req)) { return tevent_req_post(req, ev); -- 2.11.4.GIT