generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

SMB: rangecheck values read off incoming packet

Browse Source 
CVE-2015-3237

Detected by Coverity. CID 1299430.

Bug: http://curl.haxx.se/docs/adv_20150617B.html
This commit is contained in:
Daniel Stenberg
2015-05-22 10:28:21 +02:00
parent 3e7ec1e849
commit 50c7f17e50
1 changed files with 9 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
lib/smb.c
View File

@@ -783,6 +783,12 @@ static CURLcode smb_request_state(struct connectdata *conn, bool *done)
off = Curl_read16_le(((unsigned char *) msg) + off = Curl_read16_le(((unsigned char *) msg) +
sizeof(struct smb_header) + 13); sizeof(struct smb_header) + 13);
if(len > 0) { if(len > 0) {
struct smb_conn *smbc = &conn->proto.smbc;
if(off + sizeof(unsigned int) + len > smbc->got) {
failf(conn->data, "Invalid input packet");
result = CURLE_RECV_ERROR;
}
else
result = Curl_client_write(conn, CLIENTWRITE_BODY, result = Curl_client_write(conn, CLIENTWRITE_BODY,
(char *)msg + off + sizeof(unsigned int), (char *)msg + off + sizeof(unsigned int),
len); len);