Fix the offset checks in the trans routines

This fixes a potential crash bug, a client can make us read memory we
should not read. Luckily I got the disp checks right...

Volker

3 files changed, 9 insertions, 9 deletions

diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c
index 6961a5caf15..a53bc5bea2a 100644
--- a/source/smbd/ipc.c
+++ b/source/smbd/ipc.c
@@ -764,10 +764,10 @@ void reply_transs(struct smb_request *req)
 			goto bad_param;
 		}
 
-		if (ddisp > av_size ||
+		if (doff > av_size ||
 				dcnt > av_size ||
-				ddisp+dcnt > av_size ||
-				ddisp+dcnt < ddisp) {
+				doff+dcnt > av_size ||
+				doff+dcnt < doff) {
 			goto bad_param;
 		}
 
diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c
index 13caf77b983..ef814041627 100644
--- a/source/smbd/nttrans.c
+++ b/source/smbd/nttrans.c
@@ -2853,10 +2853,10 @@ void reply_nttranss(struct smb_request *req)
 			goto bad_param;
 		}
 
-		if (ddisp > av_size ||
+		if (doff > av_size ||
 				dcnt > av_size ||
-				ddisp+dcnt > av_size ||
-				ddisp+dcnt < ddisp) {
+				doff+dcnt > av_size ||
+				doff+dcnt < doff) {
 			goto bad_param;
 		}
 
diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c
index 13105dce0fc..44ab88d0a44 100644
--- a/source/smbd/trans2.c
+++ b/source/smbd/trans2.c
@@ -7783,10 +7783,10 @@ void reply_transs2(struct smb_request *req)
 			goto bad_param;
 		}
 
-		if (ddisp > av_size ||
+		if (doff > av_size ||
 				dcnt > av_size ||
-				ddisp+dcnt > av_size ||
-				ddisp+dcnt < ddisp) {
+				doff+dcnt > av_size ||
+				doff+dcnt < doff) {
 			goto bad_param;
 		}