r3663: Fix too tight checking of incoming secondary trans2 requests.

Found by Stefan Esser <s.esser@e-matters.de>.
Jeremy.

diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c
index 4c0d5731eb8bc52da41010ea7efc28016af5f60c..ca2c8a060dcbf590245a7d381fc5b20c7f0f666e 100644 (file)
--- a/source/smbd/trans2.c
+++ b/source/smbd/trans2.c
@@ -4161,7 +4161,7 @@ int reply_trans2(connection_struct *conn,
                                goto bad_param;
                        
                        if (num_params) {
-                               if (param_disp + num_params >= total_params)
+                               if (param_disp + num_params > total_params)
                                        goto bad_param;
                                if ((param_disp + num_params < param_disp) ||
                                                (param_disp + num_params < num_params))
@@ -4177,7 +4177,7 @@ int reply_trans2(connection_struct *conn,
                                memcpy( &params[param_disp], smb_base(inbuf) + param_off, num_params);
                        }
                        if (num_data) {
-                               if (data_disp + num_data >= total_data)
+                               if (data_disp + num_data > total_data)
                                        goto bad_param;
                                if ((data_disp + num_data < data_disp) ||
                                                (data_disp + num_data < num_data))