From a12e7ef30a45c155c0f211d02445ef0ad46acde0 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vlendec@samba.org>
Date: Tue, 14 Aug 2007 13:57:36 +0000
Subject: r24409: Check wct in reply_open (This used to be commit
 ee6f212ed0b332e6886056e6d254d0c0da7c5046)

---
 source3/smbd/reply.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'source3')

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 4a8ecb86e9..6acee164c6 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -1402,9 +1402,9 @@ int reply_open(connection_struct *conn, char *inbuf,char *outbuf, int dum_size,
 	int info;
 	SMB_STRUCT_STAT sbuf;
 	files_struct *fsp;
-	int oplock_request = CORE_OPLOCK_REQUEST(inbuf);
+	int oplock_request;
 	int deny_mode;
-	uint32 dos_attr = SVAL(inbuf,smb_vwv1);
+	uint32 dos_attr;
 	uint32 access_mask;
 	uint32 share_mode;
 	uint32 create_disposition;
@@ -1415,8 +1415,14 @@ int reply_open(connection_struct *conn, char *inbuf,char *outbuf, int dum_size,
 	START_PROFILE(SMBopen);
 
 	init_smb_request(&req, (uint8 *)inbuf);
+
+	if (req.wct < 2) {
+		return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+	}
  
+	oplock_request = CORE_OPLOCK_REQUEST(inbuf);
 	deny_mode = SVAL(inbuf,smb_vwv0);
+	dos_attr = SVAL(inbuf,smb_vwv1);
 
 	srvstr_get_path(inbuf, SVAL(inbuf,smb_flg2), fname, smb_buf(inbuf)+1,
 			sizeof(fname), 0, STR_TERMINATE, &status);
-- 
cgit