From d465b468c1bd1e43fc1bf1622415ed98dafa6627 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vlendec@samba.org>
Date: Fri, 10 Aug 2007 21:33:58 +0000
Subject: r24319: Check wct in reply_read_and_X (This used to be commit
 9ddacdfa131c4a4a852b3d30db1ee22d1852d0c2)

---
 source3/smbd/reply.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

(limited to 'source3/smbd/reply.c')

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index c02bbc8719..3e35c0064b 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -2860,10 +2860,10 @@ normal_read:
 
 int reply_read_and_X(connection_struct *conn, char *inbuf,char *outbuf,int length,int bufsize)
 {
-	files_struct *fsp = file_fsp(SVAL(inbuf,smb_vwv2));
-	SMB_OFF_T startpos = IVAL_TO_SMB_OFF_T(inbuf,smb_vwv3);
+	files_struct *fsp;
+	SMB_OFF_T startpos;
 	ssize_t nread = -1;
-	size_t smb_maxcnt = SVAL(inbuf,smb_vwv5);
+	size_t smb_maxcnt;
 	BOOL big_readX = False;
 #if 0
 	size_t smb_mincnt = SVAL(inbuf,smb_vwv6);
@@ -2871,6 +2871,14 @@ int reply_read_and_X(connection_struct *conn, char *inbuf,char *outbuf,int lengt
 
 	START_PROFILE(SMBreadX);
 
+	if ((CVAL(inbuf, smb_wct) != 10) && (CVAL(inbuf, smb_wct) != 12)) {
+		return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+	}
+
+	fsp = file_fsp(SVAL(inbuf,smb_vwv2));
+	startpos = IVAL_TO_SMB_OFF_T(inbuf,smb_vwv3);
+	smb_maxcnt = SVAL(inbuf,smb_vwv5);
+
 	/* If it's an IPC, pass off the pipe handler. */
 	if (IS_IPC(conn)) {
 		END_PROFILE(SMBreadX);
-- 
cgit