smb: reject negative file sizes

Assisted-by: Max Dymond
Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8245

diff --git a/lib/smb.c b/lib/smb.c
index b4326341ea24ff598bfac52ab055e8ee59842f8f..9ac61505cf441a0b42dc0089e85b94f763d07b1b 100644 (file)
--- a/lib/smb.c
+++ b/lib/smb.c
@@ -790,10 +790,16 @@ static CURLcode smb_request_state(struct connectdata *conn, bool *done)
     else {
       smb_m = (const struct smb_nt_create_response*) msg;
       conn->data->req.size = smb_swap64(smb_m->end_of_file);
-      Curl_pgrsSetDownloadSize(conn->data, conn->data->req.size);
-      if(conn->data->set.get_filetime)
-        get_posix_time(&conn->data->info.filetime, smb_m->last_change_time);
-      next_state = SMB_DOWNLOAD;
+      if(conn->data->req.size < 0) {
+        req->result = CURLE_WEIRD_SERVER_REPLY;
+        next_state = SMB_CLOSE;
+      }
+      else {
+        Curl_pgrsSetDownloadSize(conn->data, conn->data->req.size);
+        if(conn->data->set.get_filetime)
+          get_posix_time(&conn->data->info.filetime, smb_m->last_change_time);
+        next_state = SMB_DOWNLOAD;
+      }
     }
     break;