From 3311842e8c66bf2621a4959bc6307e8ecf08c0bf Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 10 Feb 2012 08:10:39 +0100 Subject: [PATCH] v3-3: AndX offsets are increasing strictly monotonically --- source/smbd/process.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) diff --git a/source/smbd/process.c b/source/smbd/process.c index c53bfda..ad789cd 100644 --- a/source/smbd/process.c +++ b/source/smbd/process.c @@ -1651,7 +1651,7 @@ void chain_reply(struct smb_request *req) int size = smb_len(req->inbuf)+4; int smb_com1, smb_com2 = CVAL(inbuf,smb_vwv0); - unsigned smb_off2 = SVAL(inbuf,smb_vwv1); + static unsigned smb_off2; char *inbuf2; int outsize2; int new_size; @@ -1675,8 +1675,16 @@ void chain_reply(struct smb_request *req) if (chain_size == 0) { /* this is the first part of the chain */ orig_inbuf = inbuf; + smb_off2 = 0; } + if (SVAL(inbuf,smb_vwv1) <= smb_off2) { + DEBUG(1, ("AndX offset not increasing\n")); + SCVAL(outbuf, smb_vwv0, 0xFF); + return; + } + smb_off2 = SVAL(inbuf, smb_vwv1); + /* * We need to save the output the caller added to the chain so that we * can splice it into the final output buffer later. -- 1.7.3.4