From 6ac3be5c7c26c307dd855dfd228a12edb46c0f40 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 10 Feb 2012 08:10:39 +0100 Subject: [PATCH] v3-3: AndX offsets are increasing strictly monotonically --- source/smbd/process.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) diff --git a/source/smbd/process.c b/source/smbd/process.c index 446b868..adad33a 100644 --- a/source/smbd/process.c +++ b/source/smbd/process.c @@ -1655,7 +1655,7 @@ void chain_reply(struct smb_request *req) int size = smb_len(req->inbuf)+4; int smb_com1, smb_com2 = CVAL(inbuf,smb_vwv0); - unsigned smb_off2 = SVAL(inbuf,smb_vwv1); + static unsigned smb_off2; char *inbuf2; int outsize2; int new_size; @@ -1679,8 +1679,16 @@ void chain_reply(struct smb_request *req) if (chain_size == 0) { /* this is the first part of the chain */ orig_inbuf = inbuf; + smb_off2 = 0; } + if (SVAL(inbuf,smb_vwv1) <= smb_off2) { + DEBUG(1, ("AndX offset not increasing\n")); + SCVAL(outbuf, smb_vwv0, 0xFF); + return; + } + smb_off2 = SVAL(inbuf, smb_vwv1); + /* * We need to save the output the caller added to the chain so that we * can splice it into the final output buffer later. -- 1.7.3.4