summaryrefslogtreecommitdiffstats
path: root/source/smbd/reply.c
diff options
context:
space:
mode:
Diffstat (limited to 'source/smbd/reply.c')
-rw-r--r--source/smbd/reply.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/source/smbd/reply.c b/source/smbd/reply.c
index 44ee4a4076d..10fcadff673 100644
--- a/source/smbd/reply.c
+++ b/source/smbd/reply.c
@@ -2660,7 +2660,7 @@ int reply_write_and_X(connection_struct *conn, char *inbuf,char *outbuf,int leng
{
files_struct *fsp = file_fsp(inbuf,smb_vwv2);
SMB_OFF_T startpos = IVAL(inbuf,smb_vwv3);
- size_t numtowrite = SVAL(inbuf,smb_vwv10)|(((size_t)SVAL(inbuf,smb_vwv9))<<16);
+ size_t numtowrite = SVAL(inbuf,smb_vwv10);
BOOL write_through = BITSETW(inbuf+smb_vwv7,0);
ssize_t nwritten = -1;
unsigned int smb_doff = SVAL(inbuf,smb_vwv11);
@@ -2678,6 +2678,10 @@ int reply_write_and_X(connection_struct *conn, char *inbuf,char *outbuf,int leng
CHECK_WRITE(fsp);
CHECK_ERROR(fsp);
+ /* Deal with possible LARGE_WRITEX */
+ if (smblen > 0xFFFF)
+ numtowrite |= ((((size_t)SVAL(inbuf,smb_vwv9)) & 1 )<<16);
+
if(smb_doff > smblen || (smb_doff + numtowrite > smblen)) {
END_PROFILE(SMBwriteX);
return(ERROR(ERRDOS,ERRbadmem));