From 97bb32d61f825c524bd0e4caecce056088e13a6d Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 24 Nov 2004 05:24:38 +0000
Subject: r3936: Ensure LARGE_READX response must fit within reply buffer.
 Jeremy. (This used to be commit 5541001cf98aa9afb8f98ebeb91561348d3f5d74)

---
 source3/smbd/reply.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 5d493d8716..a3bb412578 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -2186,6 +2186,12 @@ int reply_read_and_X(connection_struct *conn, char *inbuf,char *outbuf,int lengt
 
 	if (global_client_caps & CAP_LARGE_READX) {
 		smb_maxcnt |= ((((size_t)SVAL(inbuf,smb_vwv7)) & 1 )<<16);
+		if (smb_maxcnt > BUFFER_SIZE) {
+			DEBUG(0,("reply_read_and_X - read too large (%u) for reply buffer %u\n",
+				(unsigned int)smb_maxcnt, (unsigned int)BUFFER_SIZE));
+			END_PROFILE(SMBreadX);
+			return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+		}
 	}
 
 	if(CVAL(inbuf,smb_wct) == 12) {
-- 
cgit