r6269: With help from Marcel Müller <mueller@maazl.de> in tracking down the bug,

fix trans2 and nttrans secondary packet processing. We were being too strict checking
the incoming packet (by 1 byte).
Jeremy.
(This used to be commit 3eea1ff4b7428325c7f304bcac61d6297209a4b8)

source3/smbd/nttrans.c

@@ -2946,6 +2946,9 @@ due to being in oplock break state.\n", (unsigned int)function_code ));
 
 			ret = receive_next_smb(inbuf,bufsize,SMB_SECONDARY_WAIT);
 
+			/* We need to re-calcuate the new length after we've read the secondary packet. */
+			length = smb_len(inbuf) + 4;
+
 			/*
 			 * The sequence number for the trans reply is always
 			 * based on the last secondary received.
@@ -2993,7 +2996,7 @@ due to being in oplock break state.\n", (unsigned int)function_code ));
 					goto bad_param;
 				if (parameter_displacement > total_parameter_count)
 					goto bad_param;
-				if ((smb_base(inbuf) + parameter_offset + parameter_count >= inbuf + bufsize) ||
+				if ((smb_base(inbuf) + parameter_offset + parameter_count > inbuf + length) ||
 						(smb_base(inbuf) + parameter_offset + parameter_count < smb_base(inbuf)))
 					goto bad_param;
 				if (parameter_displacement + params < params)
@@ -3010,7 +3013,7 @@ due to being in oplock break state.\n", (unsigned int)function_code ));
 					goto bad_param;
 				if (data_displacement > total_data_count)
 					goto bad_param;
-				if ((smb_base(inbuf) + data_offset + data_count >= inbuf + bufsize) ||
+				if ((smb_base(inbuf) + data_offset + data_count > inbuf + length) ||
 						(smb_base(inbuf) + data_offset + data_count < smb_base(inbuf)))
 					goto bad_param;
 				if (data_displacement + data < data)

source3/smbd/trans2.c

@@ -4885,6 +4885,9 @@ int reply_trans2(connection_struct *conn,
 			unsigned int data_off;
 
 			ret = receive_next_smb(inbuf,bufsize,SMB_SECONDARY_WAIT);
+
+			/* We need to re-calcuate the new length after we've read the secondary packet. */
+			length = smb_len(inbuf) + 4;
 			
 			/*
 			 * The sequence number for the trans reply is always
@@ -4932,7 +4935,7 @@ int reply_trans2(connection_struct *conn,
 					goto bad_param;
 				if (param_disp > total_params)
 					goto bad_param;
-				if ((smb_base(inbuf) + param_off + num_params >= inbuf + bufsize) ||
+				if ((smb_base(inbuf) + param_off + num_params > inbuf + length) ||
 						(smb_base(inbuf) + param_off + num_params < smb_base(inbuf)))
 					goto bad_param;
 				if (params + param_disp < params)
@@ -4948,7 +4951,7 @@ int reply_trans2(connection_struct *conn,
 					goto bad_param;
 				if (data_disp > total_data)
 					goto bad_param;
-				if ((smb_base(inbuf) + data_off + num_data >= inbuf + bufsize) ||
+				if ((smb_base(inbuf) + data_off + num_data > inbuf + length) ||
 						(smb_base(inbuf) + data_off + num_data < smb_base(inbuf)))
 					goto bad_param;
 				if (data + data_disp < data)