Author: vlendec Date: 2007-08-10 21:33:58 +0000 (Fri, 10 Aug 2007) New Revision: 24319
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=24319 Log: Check wct in reply_read_and_X Modified: branches/SAMBA_3_2/source/smbd/reply.c Changeset: Modified: branches/SAMBA_3_2/source/smbd/reply.c =================================================================== --- branches/SAMBA_3_2/source/smbd/reply.c 2007-08-10 20:53:27 UTC (rev 24318) +++ branches/SAMBA_3_2/source/smbd/reply.c 2007-08-10 21:33:58 UTC (rev 24319) @@ -2860,10 +2860,10 @@ int reply_read_and_X(connection_struct *conn, char *inbuf,char *outbuf,int length,int bufsize) { - files_struct *fsp = file_fsp(SVAL(inbuf,smb_vwv2)); - SMB_OFF_T startpos = IVAL_TO_SMB_OFF_T(inbuf,smb_vwv3); + files_struct *fsp; + SMB_OFF_T startpos; ssize_t nread = -1; - size_t smb_maxcnt = SVAL(inbuf,smb_vwv5); + size_t smb_maxcnt; BOOL big_readX = False; #if 0 size_t smb_mincnt = SVAL(inbuf,smb_vwv6); @@ -2871,6 +2871,14 @@ START_PROFILE(SMBreadX); + if ((CVAL(inbuf, smb_wct) != 10) && (CVAL(inbuf, smb_wct) != 12)) { + return ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + + fsp = file_fsp(SVAL(inbuf,smb_vwv2)); + startpos = IVAL_TO_SMB_OFF_T(inbuf,smb_vwv3); + smb_maxcnt = SVAL(inbuf,smb_vwv5); + /* If it's an IPC, pass off the pipe handler. */ if (IS_IPC(conn)) { END_PROFILE(SMBreadX);