moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-11-17 15:05:02 -05:00
Code Issues Releases Wiki Activity

smb: reject negative file sizes

Browse Source 
Assisted-by: Max Dymond

Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8245
This commit is contained in:
Daniel Stenberg 2018-05-12 22:24:25 +02:00
parent fe6b78b42d
commit 9cacc24630
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/smb.c
View File

@ -790,11 +790,17 @@ static CURLcode smb_request_state(struct connectdata *conn, bool *done)
else { else {
smb_m = (const struct smb_nt_create_response*) msg; smb_m = (const struct smb_nt_create_response*) msg;
conn->data->req.size = smb_swap64(smb_m->end_of_file); conn->data->req.size = smb_swap64(smb_m->end_of_file);
if(conn->data->req.size < 0) {
req->result = CURLE_WEIRD_SERVER_REPLY;
next_state = SMB_CLOSE;
}
else {
Curl_pgrsSetDownloadSize(conn->data, conn->data->req.size); Curl_pgrsSetDownloadSize(conn->data, conn->data->req.size);
if(conn->data->set.get_filetime) if(conn->data->set.get_filetime)
get_posix_time(&conn->data->info.filetime, smb_m->last_change_time); get_posix_time(&conn->data->info.filetime, smb_m->last_change_time);
next_state = SMB_DOWNLOAD; next_state = SMB_DOWNLOAD;
} }
}
break; break;
case SMB_DOWNLOAD: case SMB_DOWNLOAD: