From 9cacc24630e55ea54803458f37fadfe9d4beb52c Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sat, 12 May 2018 22:24:25 +0200 Subject: smb: reject negative file sizes Assisted-by: Max Dymond Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8245 --- lib/smb.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/lib/smb.c b/lib/smb.c index b4326341e..9ac61505c 100644 --- a/lib/smb.c +++ b/lib/smb.c @@ -790,10 +790,16 @@ static CURLcode smb_request_state(struct connectdata *conn, bool *done) else { smb_m = (const struct smb_nt_create_response*) msg; conn->data->req.size = smb_swap64(smb_m->end_of_file); - Curl_pgrsSetDownloadSize(conn->data, conn->data->req.size); - if(conn->data->set.get_filetime) - get_posix_time(&conn->data->info.filetime, smb_m->last_change_time); - next_state = SMB_DOWNLOAD; + if(conn->data->req.size < 0) { + req->result = CURLE_WEIRD_SERVER_REPLY; + next_state = SMB_CLOSE; + } + else { + Curl_pgrsSetDownloadSize(conn->data, conn->data->req.size); + if(conn->data->set.get_filetime) + get_posix_time(&conn->data->info.filetime, smb_m->last_change_time); + next_state = SMB_DOWNLOAD; + } } break; -- cgit v1.2.3