From 009bb0be7383777a650a3bc6af1c0d3ab7476ebc Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Fri, 10 Feb 2012 08:39:33 +0100
Subject: [PATCH 2/2] v3-0-test: Port back some packet consistency checks

---
 source/smbd/process.c |   18 ++++++++++++++++++
 1 files changed, 18 insertions(+), 0 deletions(-)

diff --git source/smbd/process.c source/smbd/process.c
index f64e1ce..8aabef8 100644
--- source/smbd/process.c
+++ source/smbd/process.c
@@ -1025,6 +1025,7 @@ static int construct_reply(char *inbuf,char *outbuf,int size,int bufsize)
 	int outsize = 0;
 	int msg_type = CVAL(inbuf,0);
 	uint16_t mid = SVAL(inbuf, smb_mid);
+	uint8_t wct = CVAL(inbuf, smb_wct);
 
 	chain_size = 0;
 	file_chain_reset();
@@ -1033,6 +1034,23 @@ static int construct_reply(char *inbuf,char *outbuf,int size,int bufsize)
 	if (msg_type != 0)
 		return(reply_special(inbuf,outbuf));  
 
+	/* Ensure we have at least wct words and 2 bytes of bcc. */
+	if (smb_size + wct*2 > size) {
+		DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n",
+			(unsigned int)wct,
+			(unsigned int)size));
+		exit_server_cleanly("Invalid SMB request");
+	}
+	/* Ensure bcc is correct. */
+	if (((uint8 *)smb_buf(inbuf)) + smb_buflen(inbuf) > inbuf + size) {
+		DEBUG(0,("init_smb_request: invalid bcc number %u "
+			"(wct = %u, size %u)\n",
+			(unsigned int)smb_buflen(inbuf),
+			(unsigned int)wct,
+			(unsigned int)size));
+		exit_server_cleanly("Invalid SMB request");
+	}
+
 	construct_reply_common(inbuf, outbuf);
 
 	outsize = switch_message(type,inbuf,outbuf,size,bufsize);
--
1.7.3.4
