From daef678bcda0999bbe1c4c49b556830889178fc4 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 3 Feb 2016 09:18:14 +0100 Subject: [PATCH] smbd: Fix CID 1351215 Improper use of negative value BUG: https://bugzilla.samba.org/show_bug.cgi?id=11724 Signed-off-by: Volker Lendecke Reviewed-by: Michael Adam Autobuild-User(master): Michael Adam Autobuild-Date(master): Wed Feb 3 15:03:09 CET 2016 on sn-devel-144 (cherry picked from commit 2d80498e64bc7f9e1fd2d080825c1e8904018a19) --- source3/smbd/smbXsrv_client.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/source3/smbd/smbXsrv_client.c b/source3/smbd/smbXsrv_client.c index 87cc307..0b9d8c4 100644 --- a/source3/smbd/smbXsrv_client.c +++ b/source3/smbd/smbXsrv_client.c @@ -287,14 +287,20 @@ NTSTATUS smb2srv_client_connection_pass(struct smbd_smb2_request *smb2req, NTSTATUS status; struct smbXsrv_connection_pass0 pass_info0; struct smbXsrv_connection_passB pass_blob; + ssize_t reqlen; struct iovec iov; pass_info0.initial_connect_time = global->initial_connect_time; pass_info0.client_guid = global->client_guid; - pass_info0.negotiate_request.length = iov_buflen(smb2req->in.vector, - smb2req->in.vector_count); + + reqlen = iov_buflen(smb2req->in.vector, smb2req->in.vector_count); + if (reqlen == -1) { + return NT_STATUS_INVALID_BUFFER_SIZE; + } + + pass_info0.negotiate_request.length = reqlen; pass_info0.negotiate_request.data = talloc_array(talloc_tos(), uint8_t, - pass_info0.negotiate_request.length); + reqlen); if (pass_info0.negotiate_request.data == NULL) { return NT_STATUS_NO_MEMORY; } -- 2.5.0