Argggh. smblen doesn't include the +4, so my smb_doff calculations

shouldn't either :-).
Jeremy.
(This used to be commit c3de44b6b063e126095b30536fdcb643c70e395e)

1 files changed, 4 insertions, 4 deletions

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index de0e852e2a..84c1892560 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -3927,8 +3927,8 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req)
 	smblen = smb_len(req->inbuf);
 
 	if (req->unread_bytes > 0xFFFF ||
-			(smblen > smb_doff + 4 &&
-				smblen - smb_doff + 4 > 0xFFFF)) {
+			(smblen > smb_doff &&
+				smblen - smb_doff > 0xFFFF)) {
 		numtowrite |= (((size_t)SVAL(req->inbuf,smb_vwv9))<<16);
 	}
 
@@ -3939,8 +3939,8 @@ void reply_write_and_X(connection_struct *conn, struct smb_request *req)
 			return;
 		}
 	} else {
-		if (smb_doff + 4 > smblen || smb_doff + 4 + numtowrite < numtowrite ||
-				smb_doff + 4 + numtowrite > smblen) {
+		if (smb_doff > smblen || smb_doff + numtowrite < numtowrite ||
+				smb_doff + numtowrite > smblen) {
 			reply_doserror(req, ERRDOS, ERRbadmem);
 			END_PROFILE(SMBwriteX);
 			return;