1 files changed, 14 insertions, 3 deletions

diff --git a/source/smbd/reply.c b/source/smbd/reply.c
index 98d72ba742b..bad3c6f0a80 100644
--- a/source/smbd/reply.c
+++ b/source/smbd/reply.c
@@ -468,13 +468,22 @@ int reply_tcon_and_X(connection_struct *conn, char *inbuf,char *outbuf,int lengt
  
 	if (global_encrypted_passwords_negotiated) {
 		password = data_blob(smb_buf(inbuf),passlen);
+		if (lp_security() == SEC_SHARE) {
+			/*
+			 * Security = share always has a pad byte
+			 * after the password.
+			 */
+			p = smb_buf(inbuf) + passlen + 1;
+		} else {
+			p = smb_buf(inbuf) + passlen;
+		}
 	} else {
 		password = data_blob(smb_buf(inbuf),passlen+1);
 		/* Ensure correct termination */
-		password.data[passlen]=0;    
+		password.data[passlen]=0;
+		p = smb_buf(inbuf) + passlen + 1;
 	}
 
-	p = smb_buf(inbuf) + passlen;
 	p += srvstr_pull_buf(inbuf, path, p, sizeof(path), STR_TERMINATE);
 
 	/*
@@ -2705,8 +2714,10 @@ int reply_read_and_X(connection_struct *conn, char *inbuf,char *outbuf,int lengt
 	}
 
 	nread = send_file_readX(conn, inbuf, outbuf, length, bufsize, fsp, startpos, smb_maxcnt);
-	if (nread != -1)
+	/* Only call chain_reply if not an error. */
+	if (nread != -1 && SVAL(outbuf,smb_rcls) == 0) {
 		nread = chain_reply(inbuf,outbuf,length,bufsize);
+	}
 
 	END_PROFILE(SMBreadX);
 	return nread;