From 14d59e1c8ba37ddd80fda6c8288ba743c25f11e1 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 26 Sep 2012 16:58:58 -0700
Subject: [PATCH] Fix bug #9209 - Parse of invalid SMB2 create blob can cause
 smbd crash.

Ensure we correctly protect against blobs with data_offset==0
and data_length != 0.

Jeremy.

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Sep 27 22:07:02 CEST 2012 on sn-devel-104
(cherry picked from commit 322e3d42f65dadabeccf8813fcb0e9b7d353ffb2)
(cherry picked from commit dd8e9801d6bcb8c6dca42312ffcb24149eb2645a)
---
 libcli/smb/smb2_create_blob.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/libcli/smb/smb2_create_blob.c b/libcli/smb/smb2_create_blob.c
index ddfdc85da1c..d3a96634c6e 100644
--- a/libcli/smb/smb2_create_blob.c
+++ b/libcli/smb/smb2_create_blob.c
@@ -64,9 +64,8 @@ NTSTATUS smb2_create_blob_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB buffer,
 		    name_offset + name_length > remaining ||
 		    (data_offset & 0x7) != 0 ||
 		    (data_offset && (data_offset < name_offset + name_length)) ||
-		    (data_offset && (data_offset > remaining)) ||
-		    (data_offset && data_length &&
-				(data_offset + (uint64_t)data_length > remaining))) {
+		    (data_offset > remaining) ||
+		    (data_offset + (uint64_t)data_length > remaining)) {
 			return NT_STATUS_INVALID_PARAMETER;
 		}
 
-- 
2.11.4.GIT