From 5a0d1f8e984cb9deb2cc45a98a13babfec145d3e Mon Sep 17 00:00:00 2001
From: Robert Sprowson <webpages@sprow.co.uk>
Date: Sun, 19 Jul 2020 12:59:00 +0100
Subject: [PATCH] s3:smbd: Out-by-4 error in smbd read reply max_send clamp

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14443

Signed-off-by: Robert Sprowson <webpages@sprow.co.uk>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jun  8 19:50:08 UTC 2022 on sn-devel-184

(cherry picked from commit 174a76cc27f25120af5a86bee3f26d9afad87d8f)
---
 source3/smbd/reply.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 40313f3209c..d4573d3da55 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -3853,7 +3853,7 @@ static void reply_lockread_locked(struct tevent_req *subreq)
 	/*
 	 * However the requested READ size IS affected by max_send. Insanity.... JRA.
 	 */
-	maxtoread = req->xconn->smb1.sessions.max_send - (smb_size + 5*2 + 3);
+	maxtoread = req->xconn->smb1.sessions.max_send - (MIN_SMB_SIZE + 5*2 + 3);
 
 	if (numtoread > maxtoread) {
 		DBG_WARNING("requested read size (%zu) is greater than "
@@ -3949,7 +3949,7 @@ void reply_read(struct smb_request *req)
 	/*
 	 * The requested read size cannot be greater than max_send. JRA.
 	 */
-	maxtoread = xconn->smb1.sessions.max_send - (smb_size + 5*2 + 3);
+	maxtoread = xconn->smb1.sessions.max_send - (MIN_SMB_SIZE + 5*2 + 3);
 
 	if (numtoread > maxtoread) {
 		DEBUG(0,("reply_read: requested read size (%u) is greater than maximum allowed (%u/%u). \
-- 
2.34.1