From e0f17b8e25cef360bc20dcf618a2259971a540cc Mon Sep 17 00:00:00 2001
From: rswindell <>
Date: Wed, 30 Oct 2002 03:43:08 +0000
Subject: [PATCH] smb_putmsghdr() now verifies that an incread header length
 will not require more storage blocks than originally allocated.

---
 src/smblib/smblib.c | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/src/smblib/smblib.c b/src/smblib/smblib.c
index c1d7552629..f385a04a3b 100644
--- a/src/smblib/smblib.c
+++ b/src/smblib/smblib.c
@@ -1188,7 +1188,7 @@ int SMBCALL smb_putmsgidx(smb_t* smb, smbmsg_t* msg)
 int SMBCALL smb_putmsghdr(smb_t* smb, smbmsg_t* msg)
 {
 	ushort	i;
-	ulong	l;
+	ulong	hdrlen;
 
 	if(smb->shd_fp==NULL) {
 		sprintf(smb->last_error,"msgbase not open");
@@ -1205,6 +1205,18 @@ int SMBCALL smb_putmsghdr(smb_t* smb, smbmsg_t* msg)
 		return(-1);
 	}
 
+	/* Verify that the number of blocks required to stored the actual 
+	   (calculated) header length does not exceed the number allocated. */
+	hdrlen=smb_getmsghdrlen(msg);
+	if(smb_hdrblocks(hdrlen) > smb_hdrblocks(msg->hdr.length)) {
+		sprintf(smb->last_error,"illegal header length increase: "
+			"%lu (%lu blocks) vs %hu (%lu blocks)"
+			,hdrlen, smb_hdrblocks(hdrlen)
+			,msg->hdr.length, smb_hdrblocks(msg->hdr.length));
+		return(-8);
+	}
+	msg->hdr.length=hdrlen; /* store the actual header length */
+
 	/**********************************/
 	/* Set the message header ID here */
 	/**********************************/
@@ -1242,13 +1254,12 @@ int SMBCALL smb_putmsghdr(smb_t* smb, smbmsg_t* msg)
 		}
 	}
 
-	l=smb_getmsghdrlen(msg);
-	while(l%SHD_BLOCK_LEN) {
+	while(hdrlen%SHD_BLOCK_LEN) {
 		if(fputc(0,smb->shd_fp)==EOF) {
 			sprintf(smb->last_error,"padding header block");
 			return(-6); 			   /* pad block with NULL */
 		}
-		l++; 
+		hdrlen++; 
 	}
 	fflush(smb->shd_fp);
 	return(0);
-- 
GitLab