From 5a05e687ce724ea808cdb1e6627b9c67804eb879 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 18 Mar 2013 19:50:38 +0100
Subject: [PATCH] s4:smb_server: fix large read_andx requests

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
 source4/smb_server/smb/reply.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/source4/smb_server/smb/reply.c b/source4/smb_server/smb/reply.c
index bae6b2ca79e..7ce5f5dbaa5 100644
--- a/source4/smb_server/smb/reply.c
+++ b/source4/smb_server/smb/reply.c
@@ -848,6 +848,7 @@ static void reply_read_and_X_send(struct ntvfs_request *ntvfs)
 void smbsrv_reply_read_and_X(struct smbsrv_request *req)
 {
 	union smb_read *io;
+	uint16_t high_part = 0;
 
 	/* parse request */
 	if (req->in.wct != 12) {
@@ -869,13 +870,18 @@ void smbsrv_reply_read_and_X(struct smbsrv_request *req)
 		io->readx.in.read_for_execute = false;
 	}
 
-	if (req->smb_conn->negotiate.client_caps & CAP_LARGE_READX) {
-		uint32_t high_part = IVAL(req->in.vwv, VWV(7));
-		if (high_part == 1) {
-			io->readx.in.maxcnt |= high_part << 16;
-		}
+	if (req->smb_conn->negotiate.protocol == PROTOCOL_NT1) {
+		high_part = SVAL(req->in.vwv, VWV(7));
 	}
-	
+	if (high_part != UINT16_MAX) {
+		io->readx.in.maxcnt |= high_part << 16;
+	}
+
+	/*
+	 * Windows truncates the length to 0x10000
+	 */
+	io->readx.in.maxcnt = MIN(io->readx.in.maxcnt, 0x10000);
+
 	/* the 64 bit variant */
 	if (req->in.wct == 12) {
 		uint32_t offset_high = IVAL(req->in.vwv, VWV(10));
-- 
2.11.4.GIT