keep track of beginning of buffer, and do not permit buf to be set to before it

author Michael Richardson <[email protected]>

Thu, 12 Sep 2019 14:27:32 +0000 (10:27 -0400)

committer Francois-Xavier Le Bail <[email protected]>

Tue, 24 Sep 2019 12:12:09 +0000 (14:12 +0200)
author Michael Richardson <[email protected]>
Thu, 12 Sep 2019 14:27:32 +0000 (10:27 -0400)
committer Francois-Xavier Le Bail <[email protected]>
Tue, 24 Sep 2019 12:12:09 +0000 (14:12 +0200)
diff --git a/smbutil.c b/smbutil.c

index e2d3c7bcb3dbfa6322ac68fe6f3ccf4896e27896..525635cbc7f78ebf5f5038267ecf8e9ccc4d6a25 100644 (file)
--- a/smbutil.c
+++ b/smbutil.c
@@ -798,6 +798,7 @@ smb_fdata(netdissect_options *ndo,
            int unicodestr)
  {
      static int depth = 0;
+    const u_char *buf_start = buf;
      char s[128];
      char *p;
  
@@ -876,8 +877,9 @@ smb_fdata(netdissect_options *ndo,
             s[p - fmt] = '\0';
             fmt = p + 1;
             buf = smb_fdata1(ndo, buf, s, maxbuf, unicodestr);
-           if (buf == NULL)
+           if(buf < buf_start || buf == NULL) {
                 return(NULL);
+           }
             break;
  
         default:
author	Michael Richardson <[email protected]>
	Thu, 12 Sep 2019 14:27:32 +0000 (10:27 -0400)
committer	Francois-Xavier Le Bail <[email protected]>
	Tue, 24 Sep 2019 12:12:09 +0000 (14:12 +0200)