From 1039e5fd2b02a9062e1b38f868a5cf1ce6b00116 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 6 Dec 2013 13:52:09 +0100
Subject: [PATCH] s3:smbd: reject a MaxBufferSize < SMB_BUFFER_SIZE_MIN (500)
 in a session setup request

This makes sure sconn->smb1.sessions.max_send is always >= SMB_BUFFER_SIZE_MIN.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10422
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit cce1eaea91088efd742891befdaafade0c1fdce6)
---
 source3/smbd/sesssetup.c | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 4728759c6cc..512832847cc 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -379,10 +379,13 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
 		}
 
 		if (!sconn->smb1.sessions.done_sesssetup) {
-			sconn->smb1.sessions.max_send =
-				MIN(sconn->smb1.sessions.max_send,smb_bufsize);
+			if (smb_bufsize < SMB_BUFFER_SIZE_MIN) {
+				reply_force_doserror(req, ERRSRV, ERRerror);
+				return;
+			}
+			sconn->smb1.sessions.max_send = smb_bufsize;
+			sconn->smb1.sessions.done_sesssetup = true;
 		}
-		sconn->smb1.sessions.done_sesssetup = true;
 
 		/* current_user_info is changed on new vuid */
 		reload_services(sconn, conn_snum_used, true);
@@ -1084,10 +1087,14 @@ void reply_sesssetup_and_X(struct smb_request *req)
 	req->vuid = sess_vuid;
 
 	if (!sconn->smb1.sessions.done_sesssetup) {
-		sconn->smb1.sessions.max_send =
-			MIN(sconn->smb1.sessions.max_send,smb_bufsize);
+		if (smb_bufsize < SMB_BUFFER_SIZE_MIN) {
+			reply_force_doserror(req, ERRSRV, ERRerror);
+			END_PROFILE(SMBsesssetupX);
+			return;
+		}
+		sconn->smb1.sessions.max_send = smb_bufsize;
+		sconn->smb1.sessions.done_sesssetup = true;
 	}
-	sconn->smb1.sessions.done_sesssetup = true;
 
 	END_PROFILE(SMBsesssetupX);
 }
-- 
2.11.4.GIT