From a693ca401bb896918a5bb952a531cfc6b657228a Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 13 Mar 2013 17:19:32 -0700
Subject: [PATCH 1/2] Ensure we explicitly ignore 0xFFFF value for upper
 length.

Signed-off-by: Jeremy Allison <jra@samba.org>
---
 source3/smbd/reply.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index a708fd8..5dbd6b4 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -3756,6 +3756,13 @@ void reply_read_and_X(struct smb_request *req)
 
 	if (global_client_caps & CAP_LARGE_READX) {
 		size_t upper_size = SVAL(req->vwv+7, 0);
+		/*
+		 * Some clients send this as an explicit invalid
+		 * value.
+		 */
+		if (upper_size == 0xFFFF) {
+			upper_size = 0;
+		}
 		smb_maxcnt |= (upper_size<<16);
 		if (upper_size > 1) {
 			/* Can't do this on a chained packet. */
-- 
1.8.1.3


From 049dd27fe65ff1a6bc7caf98dd87af164824856b Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 13 Mar 2013 17:20:32 -0700
Subject: [PATCH 2/2] Correctly identify big_readX.

We can't just look for the upper length value being
greater than 1, as the actual limit is 0x1FFFF minus
the SMB header and VWV sizes.

Signed-off-by: Jeremy Allison <jra@samba.org>
---
 source3/smbd/reply.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 5dbd6b4..06f2644 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -3764,7 +3764,7 @@ void reply_read_and_X(struct smb_request *req)
 			upper_size = 0;
 		}
 		smb_maxcnt |= (upper_size<<16);
-		if (upper_size > 1) {
+		if (smb_maxcnt > (0x1FFFF - (smb_size -4 + 12*2)))  {
 			/* Can't do this on a chained packet. */
 			if ((CVAL(req->vwv+0, 0) != 0xFF)) {
 				reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
-- 
1.8.1.3