From 6de10536928d212387cc22fbf6e9793f260fc390 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 16 Sep 2019 10:15:05 +0200 Subject: smb: check for full size message before reading message details To avoid reading of uninitialized data. Assisted-by: Max Dymond Bug: https://crbug.com/oss-fuzz/16907 Closes #4363 --- lib/smb.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/smb.c b/lib/smb.c index f66c05ca4..12f99257f 100644 --- a/lib/smb.c +++ b/lib/smb.c @@ -682,7 +682,8 @@ static CURLcode smb_connection_state(struct connectdata *conn, bool *done) switch(smbc->state) { case SMB_NEGOTIATE: - if(h->status || smbc->got < sizeof(*nrsp) + sizeof(smbc->challenge) - 1) { + if((smbc->got < sizeof(*nrsp) + sizeof(smbc->challenge) - 1) || + h->status) { connclose(conn, "SMB: negotiation failed"); return CURLE_COULDNT_CONNECT; } -- cgit v1.2.3