r6269: With help from Marcel Müller <mueller@maazl.de> in tracking down the bug,

fix trans2 and nttrans secondary packet processing. We were being too strict checking
the incoming packet (by 1 byte).
Jeremy.
(This used to be commit 3eea1ff4b7428325c7f304bcac61d6297209a4b8)

1 files changed, 5 insertions, 2 deletions

diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 4dffe870c5..a3ffaad24a 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -2946,6 +2946,9 @@ due to being in oplock break state.\n", (unsigned int)function_code ));
 
 			ret = receive_next_smb(inbuf,bufsize,SMB_SECONDARY_WAIT);
 
+			/* We need to re-calcuate the new length after we've read the secondary packet. */
+			length = smb_len(inbuf) + 4;
+
 			/*
 			 * The sequence number for the trans reply is always
 			 * based on the last secondary received.
@@ -2993,7 +2996,7 @@ due to being in oplock break state.\n", (unsigned int)function_code ));
 					goto bad_param;
 				if (parameter_displacement > total_parameter_count)
 					goto bad_param;
-				if ((smb_base(inbuf) + parameter_offset + parameter_count >= inbuf + bufsize) ||
+				if ((smb_base(inbuf) + parameter_offset + parameter_count > inbuf + length) ||
 						(smb_base(inbuf) + parameter_offset + parameter_count < smb_base(inbuf)))
 					goto bad_param;
 				if (parameter_displacement + params < params)
@@ -3010,7 +3013,7 @@ due to being in oplock break state.\n", (unsigned int)function_code ));
 					goto bad_param;
 				if (data_displacement > total_data_count)
 					goto bad_param;
-				if ((smb_base(inbuf) + data_offset + data_count >= inbuf + bufsize) ||
+				if ((smb_base(inbuf) + data_offset + data_count > inbuf + length) ||
 						(smb_base(inbuf) + data_offset + data_count < smb_base(inbuf)))
 					goto bad_param;
 				if (data_displacement + data < data)