Index: smbd/dir.c
===================================================================
--- smbd/dir.c	(revision 8607)
+++ smbd/dir.c	(working copy)
@@ -641,6 +641,8 @@
  Fill the 5 byte server reserved dptr field.
 ****************************************************************************/
 
+#define DPTR_MASK ((uint32)(((uint32)1)<<31))
+
 BOOL dptr_fill(char *buf1,unsigned int key)
 {
 	unsigned char *buf = (unsigned char *)buf1;
@@ -653,8 +655,12 @@
 	offset = (uint32)TellDir(dptr->dir_hnd);
 	DEBUG(6,("fill on key %u dirptr 0x%lx now at %d\n",key,
 		(long)dptr->dir_hnd,(int)offset));
+	if (offset != (uint32)-1 && (offset & DPTR_MASK)) {
+		DEBUG(0,("dptr_fill: Error - offset has bit 32 set. Can't use in server state.\n"));
+		return False;
+	}
 	buf[0] = key;
-	SIVAL(buf,1,offset);
+	SIVAL(buf,1,offset | DPTR_MASK);
 	return(True);
 }
 
@@ -678,7 +684,7 @@
 	if (offset == (uint32)-1) {
 		seekoff = -1;
 	} else {
-		seekoff = (long)offset;
+		seekoff = (long)(offset & ~DPTR_MASK);
 	}
 	SeekDir(dptr->dir_hnd,seekoff);
 	DEBUG(3,("fetching dirptr %d for path %s at offset %d\n",
Index: smbd/reply.c
===================================================================
--- smbd/reply.c	(revision 8607)
+++ smbd/reply.c	(working copy)
@@ -1156,7 +1156,9 @@
 						memcpy(p,status,21);
 						make_dir_struct(p,mask,fname,size, mode,date,
 								!allow_long_path_components);
-						dptr_fill(p+12,dptr_num);
+						if (!dptr_fill(p+12,dptr_num)) {
+							break;
+						}
 						numentries++;
 						p += DIR_STRUCT_SIZE;
 					}