3 files changed, 8 insertions, 7 deletions

diff --git a/source3/smbd/oplock.c b/source3/smbd/oplock.c
index e0b494017a..ac0836324b 100644
--- a/source3/smbd/oplock.c
+++ b/source3/smbd/oplock.c
@@ -676,13 +676,13 @@ static BOOL oplock_break(SMB_DEV_T dev, SMB_INO_T inode, struct timeval *tval, B
      messages crossing on the wire.
    */
 
-  if((inbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN))==NULL)
+  if((inbuf = (char *)malloc(BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE + SAFETY_MARGIN))==NULL)
   {
     DEBUG(0,("oplock_break: malloc fail for input buffer.\n"));
     return False;
   }
 
-  if((outbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN))==NULL)
+  if((outbuf = (char *)malloc(BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE + SAFETY_MARGIN))==NULL)
   {
     DEBUG(0,("oplock_break: malloc fail for output buffer.\n"));
     free(inbuf);
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index ac5454c48c..74c0cbc96f 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1184,8 +1184,8 @@ void smbd_process(void)
 	time_t last_timeout_processing_time = time(NULL);
 	unsigned int num_smbs = 0;
 
-	InBuffer = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
-	OutBuffer = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
+	InBuffer = (char *)malloc(BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE + SAFETY_MARGIN);
+	OutBuffer = (char *)malloc(BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE + SAFETY_MARGIN);
 	if ((InBuffer == NULL) || (OutBuffer == NULL)) 
 		return;
 
@@ -1208,7 +1208,7 @@ void smbd_process(void)
 		lp_talloc_free();
 		main_loop_talloc_free();
 
-		while (!receive_message_or_smb(InBuffer,BUFFER_SIZE,select_timeout)) {
+		while (!receive_message_or_smb(InBuffer,BUFFER_SIZE+LARGE_WRITEX_HDR_SIZE,select_timeout)) {
 			if(!timeout_processing( deadtime, &select_timeout, &last_timeout_processing_time))
 				return;
 			num_smbs = 0; /* Reset smb counter. */
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index b43512329e..914f1801d2 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -2665,10 +2665,11 @@ int reply_write_and_X(connection_struct *conn, char *inbuf,char *outbuf,int leng
 {
   files_struct *fsp = file_fsp(inbuf,smb_vwv2);
   SMB_OFF_T startpos = IVAL(inbuf,smb_vwv3);
-  size_t numtowrite = SVAL(inbuf,smb_vwv10);
+  size_t numtowrite = SVAL(inbuf,smb_vwv10)|(((size_t)SVAL(inbuf,smb_vwv9))<<16);
   BOOL write_through = BITSETW(inbuf+smb_vwv7,0);
   ssize_t nwritten = -1;
   unsigned int smb_doff = SVAL(inbuf,smb_vwv11);
+  unsigned int smblen = smb_len(inbuf);
   char *data;
   START_PROFILE(SMBwriteX);
 
@@ -2682,7 +2683,7 @@ int reply_write_and_X(connection_struct *conn, char *inbuf,char *outbuf,int leng
   CHECK_WRITE(fsp);
   CHECK_ERROR(fsp);
 
-  if(smb_doff > smb_len(inbuf)) {
+  if(smb_doff > smblen || (smb_doff + numtowrite > smblen)) {
     END_PROFILE(SMBwriteX);
     return(ERROR(ERRDOS,ERRbadmem));
   }