aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2018-05-12 22:24:25 +0200
committerDaniel Stenberg <daniel@haxx.se>2018-05-12 22:24:25 +0200
commit9cacc24630e55ea54803458f37fadfe9d4beb52c (patch)
treebcb63a6bc2d228ab9eca95d0ad1e5e64ea8a98b0
parentfe6b78b42dee1d33a2a225de6e42d0d922d4fe10 (diff)
smb: reject negative file sizes
Assisted-by: Max Dymond Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8245
-rw-r--r--lib/smb.c14
1 files changed, 10 insertions, 4 deletions
diff --git a/lib/smb.c b/lib/smb.c
index b4326341e..9ac61505c 100644
--- a/lib/smb.c
+++ b/lib/smb.c
@@ -790,10 +790,16 @@ static CURLcode smb_request_state(struct connectdata *conn, bool *done)
else {
smb_m = (const struct smb_nt_create_response*) msg;
conn->data->req.size = smb_swap64(smb_m->end_of_file);
- Curl_pgrsSetDownloadSize(conn->data, conn->data->req.size);
- if(conn->data->set.get_filetime)
- get_posix_time(&conn->data->info.filetime, smb_m->last_change_time);
- next_state = SMB_DOWNLOAD;
+ if(conn->data->req.size < 0) {
+ req->result = CURLE_WEIRD_SERVER_REPLY;
+ next_state = SMB_CLOSE;
+ }
+ else {
+ Curl_pgrsSetDownloadSize(conn->data, conn->data->req.size);
+ if(conn->data->set.get_filetime)
+ get_posix_time(&conn->data->info.filetime, smb_m->last_change_time);
+ next_state = SMB_DOWNLOAD;
+ }
}
break;