|
|
@@ -339,12 +339,13 @@ static int validate_t2(struct smb_t2_rsp *pSMB)
|
|
|
get_unaligned_le16(&pSMB->t2_rsp.DataOffset) > 1024)
|
|
|
goto vt2_err;
|
|
|
|
|
|
- /* check that bcc is at least as big as parms + data */
|
|
|
- /* check that bcc is less than negotiated smb buffer */
|
|
|
total_size = get_unaligned_le16(&pSMB->t2_rsp.ParameterCount);
|
|
|
if (total_size >= 512)
|
|
|
goto vt2_err;
|
|
|
|
|
|
+ /* check that bcc is at least as big as parms + data, and that it is
|
|
|
+ * less than negotiated smb buffer
|
|
|
+ */
|
|
|
total_size += get_unaligned_le16(&pSMB->t2_rsp.DataCount);
|
|
|
if (total_size > get_bcc(&pSMB->hdr) ||
|
|
|
total_size >= CIFSMaxBufSize + MAX_CIFS_HDR_SIZE)
|
Jeff Layton