From 3a9510acaed2d5e28b17934a2d110998232565e2 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 16 Oct 2003 18:17:44 +0000
Subject: Fix buggy data_len calculation in echo. Add paranoia debug message.
 Jeremy. (This used to be commit 5332af1124077f49e84836f5cedfbde98336b142)

---
 source3/smbd/reply.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'source3/smbd/reply.c')

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index ec63be32b4..011186ba89 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -2784,7 +2784,11 @@ int reply_echo(connection_struct *conn,
 	int outsize = set_message(outbuf,1,data_len,True);
 	START_PROFILE(SMBecho);
 
-	data_len = MIN(data_len, (sizeof(inbuf)-(smb_buf(inbuf)-inbuf)));
+	if (data_len > BUFFER_SIZE) {
+		DEBUG(0,("reply_echo: data_len too large.\n"));
+		END_PROFILE(SMBecho);
+		return -1;
+	}
 
 	/* copy any incoming data back out */
 	if (data_len > 0)
-- 
cgit