summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2015-05-22 10:28:21 +0200
committerDaniel Stenberg <daniel@haxx.se>2015-06-17 07:43:13 +0200
commit50c7f17e503fbab5081b69c97f9d4645389b9270 (patch)
tree0fade234d6c19dffa216c3c0352476e497c33620
parent3e7ec1e8492824f0c6f6dea718624935a1407069 (diff)
downloadgnurl-50c7f17e503fbab5081b69c97f9d4645389b9270.tar.gz
gnurl-50c7f17e503fbab5081b69c97f9d4645389b9270.tar.bz2
gnurl-50c7f17e503fbab5081b69c97f9d4645389b9270.zip
SMB: rangecheck values read off incoming packet
CVE-2015-3237 Detected by Coverity. CID 1299430. Bug: http://curl.haxx.se/docs/adv_20150617B.html
Diffstat
-rw-r--r--lib/smb.c12
1 files changed, 9 insertions, 3 deletions
diff --git a/lib/smb.c b/lib/smb.c
index 8cb350359..d461a712c 100644
--- a/lib/smb.c
+++ b/lib/smb.c
@@ -783,9 +783,15 @@ static CURLcode smb_request_state(struct connectdata *conn, bool *done)
off = Curl_read16_le(((unsigned char *) msg) +
sizeof(struct smb_header) + 13);
if(len > 0) {
- result = Curl_client_write(conn, CLIENTWRITE_BODY,
- (char *)msg + off + sizeof(unsigned int),
- len);
+ struct smb_conn *smbc = &conn->proto.smbc;
+ if(off + sizeof(unsigned int) + len > smbc->got) {
+ failf(conn->data, "Invalid input packet");
+ result = CURLE_RECV_ERROR;
+ }
+ else
+ result = Curl_client_write(conn, CLIENTWRITE_BODY,
+ (char *)msg + off + sizeof(unsigned int),
+ len);
if(result) {
req->result = result;
next_state = SMB_CLOSE;
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-11 13:37:01 +0000