Fix bug #8474 - SMB2 create doesn't cope with an Apple client using NULL blob in create

Cope with zero length data_offset and data_length values.

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Wed Sep 21 22:12:40 CEST 2011 on sn-devel-104
(cherry picked from commit 2a9792f4d9963e4b4cbd38da47d8296694333269)

1 files changed, 7 insertions, 3 deletions

diff --git a/libcli/smb/smb2_create_blob.c b/libcli/smb/smb2_create_blob.c
index 444dc840afe..b44f28a01ff 100644
--- a/libcli/smb/smb2_create_blob.c
+++ b/libcli/smb/smb2_create_blob.c
@@ -63,9 +63,10 @@ NTSTATUS smb2_create_blob_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB buffer,
 		    name_offset > remaining ||
 		    name_length != 4 || /* windows enforces this */
 		    name_offset + name_length > remaining ||
-		    data_offset < name_offset + name_length ||
-		    data_offset > remaining ||
-		    data_offset + (uint64_t)data_length > remaining) {
+		    (data_offset && (data_offset < name_offset + name_length)) ||
+		    (data_offset && (data_offset > remaining)) ||
+		    (data_offset && data_length &&
+				(data_offset + (uint64_t)data_length > remaining))) {
 			return NT_STATUS_INVALID_PARAMETER;
 		}
 
@@ -88,6 +89,9 @@ NTSTATUS smb2_create_blob_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB buffer,
 		data += next;
 
 		if (remaining < 16) {
+			DEBUG(0,("smb2_create_blob_parse: remaining1 = %d, next = %d\n",
+				(int)remaining,
+				(int)next));
 			return NT_STATUS_INVALID_PARAMETER;
 		}
 	}