From 000323887350793440c360eba2be7729a7b5c4b0 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Sun, 10 Apr 2005 06:57:55 +0000
Subject: [PATCH] =?UTF-8?q?r6269:=20With=20help=20from=20Marcel=20M=C3=BCl?=
 =?UTF-8?q?ler=20<mueller@maazl.de>=20in=20tracking=20down=20the=20bug,=20?=
 =?UTF-8?q?fix=20trans2=20and=20nttrans=20secondary=20packet=20processing.?=
 =?UTF-8?q?=20We=20were=20being=20too=20strict=20checking=20the=20incoming?=
 =?UTF-8?q?=20packet=20(by=201=20byte).=20Jeremy.=20(This=20used=20to=20be?=
 =?UTF-8?q?=20commit=203eea1ff4b7428325c7f304bcac61d6297209a4b8)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 source3/smbd/nttrans.c | 7 +++++--
 source3/smbd/trans2.c  | 7 +++++--
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 4dffe870c53..a3ffaad24ac 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -2946,6 +2946,9 @@ due to being in oplock break state.\n", (unsigned int)function_code ));
 
 			ret = receive_next_smb(inbuf,bufsize,SMB_SECONDARY_WAIT);
 
+			/* We need to re-calcuate the new length after we've read the secondary packet. */
+			length = smb_len(inbuf) + 4;
+
 			/*
 			 * The sequence number for the trans reply is always
 			 * based on the last secondary received.
@@ -2993,7 +2996,7 @@ due to being in oplock break state.\n", (unsigned int)function_code ));
 					goto bad_param;
 				if (parameter_displacement > total_parameter_count)
 					goto bad_param;
-				if ((smb_base(inbuf) + parameter_offset + parameter_count >= inbuf + bufsize) ||
+				if ((smb_base(inbuf) + parameter_offset + parameter_count > inbuf + length) ||
 						(smb_base(inbuf) + parameter_offset + parameter_count < smb_base(inbuf)))
 					goto bad_param;
 				if (parameter_displacement + params < params)
@@ -3010,7 +3013,7 @@ due to being in oplock break state.\n", (unsigned int)function_code ));
 					goto bad_param;
 				if (data_displacement > total_data_count)
 					goto bad_param;
-				if ((smb_base(inbuf) + data_offset + data_count >= inbuf + bufsize) ||
+				if ((smb_base(inbuf) + data_offset + data_count > inbuf + length) ||
 						(smb_base(inbuf) + data_offset + data_count < smb_base(inbuf)))
 					goto bad_param;
 				if (data_displacement + data < data)
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 1868ce8fe4a..adc6322ac33 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -4885,6 +4885,9 @@ int reply_trans2(connection_struct *conn,
 			unsigned int data_off;
 
 			ret = receive_next_smb(inbuf,bufsize,SMB_SECONDARY_WAIT);
+
+			/* We need to re-calcuate the new length after we've read the secondary packet. */
+			length = smb_len(inbuf) + 4;
 			
 			/*
 			 * The sequence number for the trans reply is always
@@ -4932,7 +4935,7 @@ int reply_trans2(connection_struct *conn,
 					goto bad_param;
 				if (param_disp > total_params)
 					goto bad_param;
-				if ((smb_base(inbuf) + param_off + num_params >= inbuf + bufsize) ||
+				if ((smb_base(inbuf) + param_off + num_params > inbuf + length) ||
 						(smb_base(inbuf) + param_off + num_params < smb_base(inbuf)))
 					goto bad_param;
 				if (params + param_disp < params)
@@ -4948,7 +4951,7 @@ int reply_trans2(connection_struct *conn,
 					goto bad_param;
 				if (data_disp > total_data)
 					goto bad_param;
-				if ((smb_base(inbuf) + data_off + num_data >= inbuf + bufsize) ||
+				if ((smb_base(inbuf) + data_off + num_data > inbuf + length) ||
 						(smb_base(inbuf) + data_off + num_data < smb_base(inbuf)))
 					goto bad_param;
 				if (data + data_disp < data)