From 8aed0fc38ae28cce7fd1a443844a865265fc719c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 29 Jan 2015 10:12:30 +0100
Subject: [PATCH] s3:smb2_server: protect against integer wrap with "smb2 max
 credits = 65535"

Bug: https://bugzilla.samba.org/show_bug.cgi?id=9702

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jan 29 14:58:40 CET 2015 on sn-devel-104
---
 source3/smbd/smb2_server.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index a740b40771b..25d11b1eb18 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -823,6 +823,8 @@ static void smb2_set_operation_credit(struct smbXsrv_connection *xconn,
 		 */
 		credits_granted = 0;
 	} else {
+		uint16_t additional_possible =
+			xconn->smb2.credits.max - credit_charge;
 		uint16_t additional_max = 0;
 		uint16_t additional_credits = credits_requested - 1;
 
@@ -848,6 +850,7 @@ static void smb2_set_operation_credit(struct smbXsrv_connection *xconn,
 			break;
 		}
 
+		additional_max = MIN(additional_max, additional_possible);
 		additional_credits = MIN(additional_credits, additional_max);
 
 		credits_granted = credit_charge + additional_credits;
-- 
2.11.4.GIT