From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 16 Sep 2019 08:15:05 +0000 (+0200)
Subject: smb: check for full size message before reading message details
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6de10536928d212387cc22fbf6e9793f260fc390;p=curl

smb: check for full size message before reading message details

To avoid reading of uninitialized data.

Assisted-by: Max Dymond
Bug: https://crbug.com/oss-fuzz/16907
Closes #4363
---

diff --git a/lib/smb.c b/lib/smb.c
index f66c05ca4..12f99257f 100644
--- a/lib/smb.c
+++ b/lib/smb.c
@@ -682,7 +682,8 @@ static CURLcode smb_connection_state(struct connectdata *conn, bool *done)
 
   switch(smbc->state) {
   case SMB_NEGOTIATE:
-    if(h->status || smbc->got < sizeof(*nrsp) + sizeof(smbc->challenge) - 1) {
+    if((smbc->got < sizeof(*nrsp) + sizeof(smbc->challenge) - 1) ||
+       h->status) {
       connclose(conn, "SMB: negotiation failed");
       return CURLE_COULDNT_CONNECT;
     }