From 59590a1c4dc9bebc0e3a4ff6b0db9beb6ea81fef Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 9 Jul 2007 00:48:07 +0000
Subject: r23752: Fix bug introduced by checkin 22920, allow large readX. Fix
 from Dmitry Shatrov <dhsatrov@linux.vnet.ibm.com>.

"In send_file_readX(), if startpos > sbuf.st_size, then smb_maxcnt is set
to an invalid large value due to integer overflow.
As for me, this resulted in MS Word hanging while trying to save
a 1.5Mb document."

This isn't in shipping code.

Jeremy.
(This used to be commit af715c602a8ef6038e6272c7cc6a08501617ae67)
---
 source3/smbd/reply.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 6e41de4ec9..b17fa1949b 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -2590,9 +2590,7 @@ int send_file_readX(connection_struct *conn, char *inbuf,char *outbuf,int length
 
 	if (startpos > sbuf.st_size) {
 		smb_maxcnt = 0;
-	}
-
-	if (smb_maxcnt > (sbuf.st_size - startpos)) {
+	} else if (smb_maxcnt > (sbuf.st_size - startpos)) {
 		smb_maxcnt = (sbuf.st_size - startpos);
 	}
 
-- 
cgit