From 60b18c08a352948eab18e8b79e3b2cbbf92cdf7d Mon Sep 17 00:00:00 2001
From: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Date: Thu, 4 Apr 2013 12:59:36 +0200
Subject: [PATCH 1/3] s3:smbd: do not access data behind req->buf+req->buflen
 in srvstr_get_path_req_wcard()

---
 source3/smbd/reply.c |   13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 7b19817..17dd513 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -318,9 +318,16 @@ size_t srvstr_get_path_req_wcard(TALLOC_CTX *mem_ctx, struct smb_request *req,
 				 char **pp_dest, const char *src, int flags,
 				 NTSTATUS *err, bool *contains_wcard)
 {
-	return srvstr_get_path_wcard(mem_ctx, (const char *)req->inbuf, req->flags2,
-				     pp_dest, src, smbreq_bufrem(req, src),
-				     flags, err, contains_wcard);
+	ssize_t bufrem = smbreq_bufrem(req, src);
+
+	if (bufrem < 0) {
+		*err = NT_STATUS_INVALID_PARAMETER;
+		return 0;
+	}
+
+	return srvstr_get_path_wcard(mem_ctx, (const char *)req->inbuf,
+				     req->flags2, pp_dest, src, bufrem, flags,
+				     err, contains_wcard);
 }
 
 size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req,
-- 
1.7.9.5