r3666: Generalise fix for trans and nttrans multi-fragment requests.
authorJeremy Allison <jra@samba.org>
Wed, 10 Nov 2004 20:37:14 +0000 (20:37 +0000)
committerGerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 15:53:12 +0000 (10:53 -0500)
Jeremy

source/smbd/ipc.c
source/smbd/nttrans.c

index e5465b902c8f462e533b24457b96925d9b3ce0b1..35e670c9fa1a33bc0243447ef246b2c6f7d6a2eb 100644 (file)
@@ -502,7 +502,7 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int
                        goto bad_param;
                
                if (pcnt) {
-                       if (pdisp+pcnt >= tpscnt)
+                       if (pdisp+pcnt > tpscnt)
                                goto bad_param;
                        if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt))
                                goto bad_param;
@@ -518,7 +518,7 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int
                }
 
                if (dcnt) {
-                       if (ddisp+dcnt >= tdscnt)
+                       if (ddisp+dcnt > tdscnt)
                                goto bad_param;
                        if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt))
                                goto bad_param;
index eaaf68d6895024c1df6ddf50448a4ee2300173f6..e20e433abc0803080d10c56fd9d4a544e08431b8 100644 (file)
@@ -2825,7 +2825,7 @@ due to being in oplock break state.\n", (unsigned int)function_code ));
                        }
 
                        if (parameter_count) {
-                               if (parameter_displacement + parameter_count >= total_parameter_count)
+                               if (parameter_displacement + parameter_count > total_parameter_count)
                                        goto bad_param;
                                if ((parameter_displacement + parameter_count < parameter_displacement) ||
                                                (parameter_displacement + parameter_count < parameter_count))
@@ -2842,7 +2842,7 @@ due to being in oplock break state.\n", (unsigned int)function_code ));
                        }
 
                        if (data_count) {
-                               if (data_displacement + data_count >= total_data_count)
+                               if (data_displacement + data_count > total_data_count)
                                        goto bad_param;
                                if ((data_displacement + data_count < data_displacement) ||
                                                (data_displacement + data_count < data_count))