r3666: Generalise fix for trans and nttrans multi-fragment requests.

Jeremy

2 files changed, 4 insertions, 4 deletions

diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c
index e5465b902c8..35e670c9fa1 100644
--- a/source/smbd/ipc.c
+++ b/source/smbd/ipc.c
@@ -502,7 +502,7 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int
 			goto bad_param;
 		
 		if (pcnt) {
-			if (pdisp+pcnt >= tpscnt)
+			if (pdisp+pcnt > tpscnt)
 				goto bad_param;
 			if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt))
 				goto bad_param;
@@ -518,7 +518,7 @@ int reply_trans(connection_struct *conn, char *inbuf,char *outbuf, int size, int
 		}
 
 		if (dcnt) {
-			if (ddisp+dcnt >= tdscnt)
+			if (ddisp+dcnt > tdscnt)
 				goto bad_param;
 			if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt))
 				goto bad_param;
diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c
index eaaf68d6895..e20e433abc0 100644
--- a/source/smbd/nttrans.c
+++ b/source/smbd/nttrans.c
@@ -2825,7 +2825,7 @@ due to being in oplock break state.\n", (unsigned int)function_code ));
 			}
 
 			if (parameter_count) {
-				if (parameter_displacement + parameter_count >= total_parameter_count)
+				if (parameter_displacement + parameter_count > total_parameter_count)
 					goto bad_param;
 				if ((parameter_displacement + parameter_count < parameter_displacement) ||
 						(parameter_displacement + parameter_count < parameter_count))
@@ -2842,7 +2842,7 @@ due to being in oplock break state.\n", (unsigned int)function_code ));
 			}
 
 			if (data_count) {
-				if (data_displacement + data_count >= total_data_count)
+				if (data_displacement + data_count > total_data_count)
 					goto bad_param;
 				if ((data_displacement + data_count < data_displacement) ||
 						(data_displacement + data_count < data_count))