+++ /dev/null
-From f781c9c693462b89b60a3662d2a1224c9387a725 Mon Sep 17 00:00:00 2001
-From: Volker Lendecke <vl@samba.org>
-Date: Fri, 10 Feb 2012 08:10:39 +0100
-Subject: [PATCH 1/2] v3-3: AndX offsets are increasing strictly monotonically
-
----
- source/smbd/process.c | 10 +++++++++-
- 1 files changed, 9 insertions(+), 1 deletions(-)
-
-diff --git source/smbd/process.c source/smbd/process.c
-index e861e16..f64e1ce 100644
---- source/smbd/process.c
-+++ source/smbd/process.c
-@@ -1160,7 +1160,7 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize)
- static char *orig_inbuf;
- static char *orig_outbuf;
- int smb_com1, smb_com2 = CVAL(inbuf,smb_vwv0);
-- unsigned smb_off2 = SVAL(inbuf,smb_vwv1);
-+ static unsigned smb_off2;
- char *inbuf2, *outbuf2;
- int outsize2;
- int new_size;
-@@ -1178,8 +1178,16 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize)
- /* this is the first part of the chain */
- orig_inbuf = inbuf;
- orig_outbuf = outbuf;
-+ smb_off2 = 0;
- }
-
-+ if (SVAL(inbuf,smb_vwv1) <= smb_off2) {
-+ DEBUG(1, ("AndX offset not increasing\n"));
-+ SCVAL(outbuf, smb_vwv0, 0xFF);
-+ return outsize;
-+ }
-+ smb_off2 = SVAL(inbuf, smb_vwv1);
-+
- /*
- * The original Win95 redirector dies on a reply to
- * a lockingX and read chain unless the chain reply is
---
-1.7.3.4
-
-
-From 009bb0be7383777a650a3bc6af1c0d3ab7476ebc Mon Sep 17 00:00:00 2001
-From: Volker Lendecke <vl@samba.org>
-Date: Fri, 10 Feb 2012 08:39:33 +0100
-Subject: [PATCH 2/2] v3-0-test: Port back some packet consistency checks
-
----
- source/smbd/process.c | 18 ++++++++++++++++++
- 1 files changed, 18 insertions(+), 0 deletions(-)
-
-diff --git source/smbd/process.c source/smbd/process.c
-index f64e1ce..8aabef8 100644
---- source/smbd/process.c
-+++ source/smbd/process.c
-@@ -1025,6 +1025,7 @@ static int construct_reply(char *inbuf,char *outbuf,int size,int bufsize)
- int outsize = 0;
- int msg_type = CVAL(inbuf,0);
- uint16_t mid = SVAL(inbuf, smb_mid);
-+ uint8_t wct = CVAL(inbuf, smb_wct);
-
- chain_size = 0;
- file_chain_reset();
-@@ -1033,6 +1034,23 @@ static int construct_reply(char *inbuf,char *outbuf,int size,int bufsize)
- if (msg_type != 0)
- return(reply_special(inbuf,outbuf));
-
-+ /* Ensure we have at least wct words and 2 bytes of bcc. */
-+ if (smb_size + wct*2 > size) {
-+ DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n",
-+ (unsigned int)wct,
-+ (unsigned int)size));
-+ exit_server_cleanly("Invalid SMB request");
-+ }
-+ /* Ensure bcc is correct. */
-+ if (((uint8 *)smb_buf(inbuf)) + smb_buflen(inbuf) > inbuf + size) {
-+ DEBUG(0,("init_smb_request: invalid bcc number %u "
-+ "(wct = %u, size %u)\n",
-+ (unsigned int)smb_buflen(inbuf),
-+ (unsigned int)wct,
-+ (unsigned int)size));
-+ exit_server_cleanly("Invalid SMB request");
-+ }
-+
- construct_reply_common(inbuf, outbuf);
-
- outsize = switch_message(type,inbuf,outbuf,size,bufsize);
---
-1.7.3.4
-