From 6ac3be5c7c26c307dd855dfd228a12edb46c0f40 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Fri, 10 Feb 2012 08:10:39 +0100
Subject: [PATCH] v3-3: AndX offsets are increasing strictly monotonically

---
 source/smbd/process.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)

diff --git a/source/smbd/process.c b/source/smbd/process.c
index 446b868..adad33a 100644
--- a/source/smbd/process.c
+++ b/source/smbd/process.c
@@ -1655,7 +1655,7 @@ void chain_reply(struct smb_request *req)
 	int size = smb_len(req->inbuf)+4;
 
 	int smb_com1, smb_com2 = CVAL(inbuf,smb_vwv0);
-	unsigned smb_off2 = SVAL(inbuf,smb_vwv1);
+	static unsigned smb_off2;
 	char *inbuf2;
 	int outsize2;
 	int new_size;
@@ -1679,8 +1679,16 @@ void chain_reply(struct smb_request *req)
 	if (chain_size == 0) {
 		/* this is the first part of the chain */
 		orig_inbuf = inbuf;
+		smb_off2 = 0;
 	}
 
+	if (SVAL(inbuf,smb_vwv1) <= smb_off2) {
+		DEBUG(1, ("AndX offset not increasing\n"));
+		SCVAL(outbuf, smb_vwv0, 0xFF);
+		return;
+	}
+	smb_off2 = SVAL(inbuf, smb_vwv1);
+
 	/*
 	 * We need to save the output the caller added to the chain so that we
 	 * can splice it into the final output buffer later.
-- 
1.7.3.4