From f781c9c693462b89b60a3662d2a1224c9387a725 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Fri, 10 Feb 2012 08:10:39 +0100
Subject: [PATCH 1/2] v3-3: AndX offsets are increasing strictly monotonically

---
 source/smbd/process.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)

diff --git source/smbd/process.c source/smbd/process.c
index e861e16..f64e1ce 100644
--- source/smbd/process.c
+++ source/smbd/process.c
@@ -1160,7 +1160,7 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize)
 	static char *orig_inbuf;
 	static char *orig_outbuf;
 	int smb_com1, smb_com2 = CVAL(inbuf,smb_vwv0);
-	unsigned smb_off2 = SVAL(inbuf,smb_vwv1);
+	static unsigned smb_off2;
 	char *inbuf2, *outbuf2;
 	int outsize2;
 	int new_size;
@@ -1178,8 +1178,16 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize)
 		/* this is the first part of the chain */
 		orig_inbuf = inbuf;
 		orig_outbuf = outbuf;
+		smb_off2 = 0;
 	}
 
+	if (SVAL(inbuf,smb_vwv1) <= smb_off2) {
+		DEBUG(1, ("AndX offset not increasing\n"));
+		SCVAL(outbuf, smb_vwv0, 0xFF);
+		return outsize;
+	}
+	smb_off2 = SVAL(inbuf, smb_vwv1);
+
 	/*
 	 * The original Win95 redirector dies on a reply to
 	 * a lockingX and read chain unless the chain reply is
--
1.7.3.4