summaryrefslogtreecommitdiff
path: root/source3/smbd/nttrans.c
diff options
context:
space:
mode:
Diffstat (limited to 'source3/smbd/nttrans.c')
-rw-r--r--source3/smbd/nttrans.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 4dffe870c5..a3ffaad24a 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -2946,6 +2946,9 @@ due to being in oplock break state.\n", (unsigned int)function_code ));
ret = receive_next_smb(inbuf,bufsize,SMB_SECONDARY_WAIT);
+ /* We need to re-calcuate the new length after we've read the secondary packet. */
+ length = smb_len(inbuf) + 4;
+
/*
* The sequence number for the trans reply is always
* based on the last secondary received.
@@ -2993,7 +2996,7 @@ due to being in oplock break state.\n", (unsigned int)function_code ));
goto bad_param;
if (parameter_displacement > total_parameter_count)
goto bad_param;
- if ((smb_base(inbuf) + parameter_offset + parameter_count >= inbuf + bufsize) ||
+ if ((smb_base(inbuf) + parameter_offset + parameter_count > inbuf + length) ||
(smb_base(inbuf) + parameter_offset + parameter_count < smb_base(inbuf)))
goto bad_param;
if (parameter_displacement + params < params)
@@ -3010,7 +3013,7 @@ due to being in oplock break state.\n", (unsigned int)function_code ));
goto bad_param;
if (data_displacement > total_data_count)
goto bad_param;
- if ((smb_base(inbuf) + data_offset + data_count >= inbuf + bufsize) ||
+ if ((smb_base(inbuf) + data_offset + data_count > inbuf + length) ||
(smb_base(inbuf) + data_offset + data_count < smb_base(inbuf)))
goto bad_param;
if (data_displacement + data < data)
generated by cgit (git 2.34.1) at 2024-11-11 02:47:27 +0000