Fix calculation of useable_space for trans2 and nttrans replies

When alignment was in place, we pretended to send more data/params according to
the param_offset/param_length and data_offset/data_length parameters than would
actually fit into the SMB according to the NBSS length field.
(cherry picked from commit 2ae870aead5e0ea7e7f9f6f9730f989ae34755b9)

2 files changed, 19 insertions, 18 deletions

diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c
index 0b48fa2c4d5..13caf77b983 100644
--- a/source/smbd/nttrans.c
+++ b/source/smbd/nttrans.c
@@ -113,14 +113,11 @@ void send_nt_replies(connection_struct *conn,
 				    + alignment_offset
 				    + data_alignment_offset);
 
-	/*
-	 * useable_space can never be more than max_send minus the
-	 * alignment offset.
-	 */
-
-	useable_space = MIN(useable_space,
-				max_send - (alignment_offset+data_alignment_offset));
-
+	if (useable_space < 0) {
+		DEBUG(0, ("send_nt_replies failed sanity useable_space "
+			  "= %d!!!", useable_space));
+		exit_server_cleanly("send_nt_replies: srv_send_smb failed.");
+	}
 
 	while (params_to_send || data_to_send) {
 
@@ -128,8 +125,7 @@ void send_nt_replies(connection_struct *conn,
 		 * Calculate whether we will totally or partially fill this packet.
 		 */
 
-		total_sent_thistime = params_to_send + data_to_send +
-					alignment_offset + data_alignment_offset;
+		total_sent_thistime = params_to_send + data_to_send;
 
 		/*
 		 * We can never send more than useable_space.
@@ -137,7 +133,9 @@ void send_nt_replies(connection_struct *conn,
 
 		total_sent_thistime = MIN(total_sent_thistime, useable_space);
 
-		reply_outbuf(req, 18, total_sent_thistime);
+		reply_outbuf(req, 18,
+			     total_sent_thistime + alignment_offset
+			     + data_alignment_offset);
 
 		/*
 		 * Set total params and data to be sent.
@@ -264,7 +262,7 @@ void send_nt_replies(connection_struct *conn,
 		if(params_to_send < 0 || data_to_send < 0) {
 			DEBUG(0,("send_nt_replies failed sanity check pts = %d, dts = %d\n!!!",
 				params_to_send, data_to_send));
-			return;
+			exit_server_cleanly("send_nt_replies: internal error");
 		}
 	}
 }
diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c
index 2cb826934e3..7753fad54f9 100644
--- a/source/smbd/trans2.c
+++ b/source/smbd/trans2.c
@@ -737,14 +737,16 @@ void send_trans2_replies(connection_struct *conn,
 				    + alignment_offset
 				    + data_alignment_offset);
 
-	/* useable_space can never be more than max_send minus the alignment offset. */
-
-	useable_space = MIN(useable_space, max_send - (alignment_offset+data_alignment_offset));
+	if (useable_space < 0) {
+		DEBUG(0, ("send_trans2_replies failed sanity useable_space "
+			  "= %d!!!", useable_space));
+		exit_server_cleanly("send_trans2_replies: Not enough space");
+	}
 
 	while (params_to_send || data_to_send) {
 		/* Calculate whether we will totally or partially fill this packet */
 
-		total_sent_thistime = params_to_send + data_to_send + alignment_offset + data_alignment_offset;
+		total_sent_thistime = params_to_send + data_to_send;
 
 		/* We can never send more than useable_space */
 		/*
@@ -754,9 +756,10 @@ void send_trans2_replies(connection_struct *conn,
 		 * are sent here. Fix from Marc_Jacobsen@hp.com.
 		 */
 
-		total_sent_thistime = MIN(total_sent_thistime, useable_space+ alignment_offset + data_alignment_offset);
+		total_sent_thistime = MIN(total_sent_thistime, useable_space);
 
-		reply_outbuf(req, 10, total_sent_thistime);
+		reply_outbuf(req, 10, total_sent_thistime + alignment_offset
+			     + data_alignment_offset);
 
 		/* Set total params and data to be sent */
 		SSVAL(req->outbuf,smb_tprcnt,paramsize);