smb: reject negative file sizes

Assisted-by: Max Dymond Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8245
author: Daniel Stenberg <daniel@haxx.se> 2018-05-12 22:24:25 +0200
committer: Daniel Stenberg <daniel@haxx.se> 2018-05-12 22:24:25 +0200
commit: 9cacc24630e55ea54803458f37fadfe9d4beb52c (patch)
tree: bcb63a6bc2d228ab9eca95d0ad1e5e64ea8a98b0
parent: fe6b78b42dee1d33a2a225de6e42d0d922d4fe10 (diff)
1 files changed, 10 insertions, 4 deletions
diff --git a/lib/smb.c b/lib/smb.c
index b4326341e..9ac61505c 100644
--- a/lib/smb.c
+++ b/lib/smb.c
@@ -790,10 +790,16 @@ static CURLcode smb_request_state(struct connectdata *conn, bool *done)
     else {
       smb_m = (const struct smb_nt_create_response*) msg;
       conn->data->req.size = smb_swap64(smb_m->end_of_file);
-      Curl_pgrsSetDownloadSize(conn->data, conn->data->req.size);
-      if(conn->data->set.get_filetime)
-        get_posix_time(&conn->data->info.filetime, smb_m->last_change_time);
-      next_state = SMB_DOWNLOAD;
+      if(conn->data->req.size < 0) {
+        req->result = CURLE_WEIRD_SERVER_REPLY;
+        next_state = SMB_CLOSE;
+      }
+      else {
+        Curl_pgrsSetDownloadSize(conn->data, conn->data->req.size);
+        if(conn->data->set.get_filetime)
+          get_posix_time(&conn->data->info.filetime, smb_m->last_change_time);
+        next_state = SMB_DOWNLOAD;
+      }
     }
     break;
author	Daniel Stenberg <daniel@haxx.se>	2018-05-12 22:24:25 +0200
committer	Daniel Stenberg <daniel@haxx.se>	2018-05-12 22:24:25 +0200
commit	9cacc24630e55ea54803458f37fadfe9d4beb52c (patch)
tree	bcb63a6bc2d228ab9eca95d0ad1e5e64ea8a98b0
parent	fe6b78b42dee1d33a2a225de6e42d0d922d4fe10 (diff)