Commit 9cacc246 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

smb: reject negative file sizes 

Assisted-by: Max Dymond

Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8245
parent fe6b78b4

lib/smb.c

+10 −4
Original line number Diff line number Diff line
@@ -790,11 +790,17 @@ static CURLcode smb_request_state(struct connectdata *conn, bool *done) 
    else {

      smb_m = (const struct smb_nt_create_response*) msg;

      conn->data->req.size = smb_swap64(smb_m->end_of_file);

      if(conn->data->req.size < 0) {

        req->result = CURLE_WEIRD_SERVER_REPLY;

        next_state = SMB_CLOSE;

      }

      else {

        Curl_pgrsSetDownloadSize(conn->data, conn->data->req.size);

        if(conn->data->set.get_filetime)

          get_posix_time(&conn->data->info.filetime, smb_m->last_change_time);

        next_state = SMB_DOWNLOAD;

      }

    }

    break;



  case SMB_DOWNLOAD: