From 94ae534128a28e7a3f2f4124283bd8c1acbff6d7 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Thu, 17 Nov 2005 00:48:24 +0000
Subject: r11752: setup the dynamic pointer for incoming packets too (This used
 to be commit 583f3c415ea33ddf5f4065a66f6fae49ab48455e)

---
 source4/libcli/smb2/transport.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'source4/libcli/smb2/transport.c')

diff --git a/source4/libcli/smb2/transport.c b/source4/libcli/smb2/transport.c
index 04ebb88d4e..04767fa634 100644
--- a/source4/libcli/smb2/transport.c
+++ b/source4/libcli/smb2/transport.c
@@ -148,6 +148,8 @@ static NTSTATUS smb2_transport_finish_recv(void *private, DATA_BLOB blob)
 	int len;
 	struct smb2_request *req = NULL;
 	uint64_t seqnum;
+	uint16_t buffer_code;
+	uint32_t dynamic_size;
 
 	buffer = blob.data;
 	len = blob.length;
@@ -183,6 +185,18 @@ static NTSTATUS smb2_transport_finish_recv(void *private, DATA_BLOB blob)
 	req->in.body_size = req->in.size - (SMB2_HDR_BODY+NBT_HDR_SIZE);
 	req->status       = NT_STATUS(IVAL(hdr, SMB2_HDR_STATUS));
 
+	buffer_code = SVAL(req->in.body, 0);
+	req->in.dynamic = NULL;
+	dynamic_size = req->in.body_size - (buffer_code & ~1);
+	if (dynamic_size != 0 && (buffer_code & 1)) {
+		req->in.dynamic = req->in.body + (buffer_code & ~1);
+		if (smb2_oob(&req->in, req->in.dynamic, dynamic_size)) {
+			DEBUG(1,("SMB2 request invalid dynamic size 0x%x\n", 
+				 dynamic_size));
+			goto error;
+		}
+	}
+
 	DEBUG(2, ("SMB2 RECV seqnum=0x%llx\n", req->seqnum));
 	dump_data(5, req->in.body, req->in.body_size);
 
-- 
cgit