2 files changed, 17 insertions, 0 deletions

diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 149e6ecbd9..b6951272d7 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -455,6 +455,12 @@ void reply_ntcreate_and_X(struct smb_request *req)
 			fname));
 
 	/*
+	 * we need to remove ignored bits when they come directly from the client
+	 * because we reuse some of them for internal stuff
+	 */
+	create_options &= ~NTCREATEX_OPTIONS_MUST_IGNORE_MASK;
+
+	/*
 	 * If it's an IPC, use the pipe handler.
 	 */
 
@@ -858,6 +864,12 @@ static void call_nt_transact_create(connection_struct *conn,
 	allocation_size |= (((SMB_BIG_UINT)IVAL(params,16)) << 32);
 #endif
 
+	/*
+	 * we need to remove ignored bits when they come directly from the client
+	 * because we reuse some of them for internal stuff
+	 */
+	create_options &= ~NTCREATEX_OPTIONS_MUST_IGNORE_MASK;
+
 	/* Ensure the data_len is correct for the sd and ea values given. */
 	if ((ea_len + sd_len > data_count)
 	    || (ea_len > data_count) || (sd_len > data_count)
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 03efd09f06..8b32907a4b 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -2560,6 +2560,11 @@ NTSTATUS create_file_unixpath(connection_struct *conn,
 		goto fail;
 	}
 
+	if (create_options & NTCREATEX_OPTIONS_INVALID_PARAM_MASK) {
+		status = NT_STATUS_INVALID_PARAMETER;
+		goto fail;
+	}
+
 	if (req == NULL) {
 		oplock_request |= INTERNAL_OPEN_ONLY;
 	}