@@ -, +, @@ 
---
 source/smbd/ipc.c     |    6 +++---
 source/smbd/nttrans.c |    6 +++---
 source/smbd/trans2.c  |    6 +++---
 3 files changed, 9 insertions(+), 9 deletions(-)
--- a/source/smbd/ipc.c	
+++ a/source/smbd/ipc.c	
@@ -764,10 +764,10 @@ void reply_transs(struct smb_request *req)
 			goto bad_param;
 		}
 
-		if (ddisp > av_size ||
+		if (doff > av_size ||
 				dcnt > av_size ||
-				ddisp+dcnt > av_size ||
-				ddisp+dcnt < ddisp) {
+				doff+dcnt > av_size ||
+				doff+dcnt < doff) {
 			goto bad_param;
 		}
 
--- a/source/smbd/nttrans.c	
+++ a/source/smbd/nttrans.c	
@@ -2853,10 +2853,10 @@ void reply_nttranss(struct smb_request *req)
 			goto bad_param;
 		}
 
-		if (ddisp > av_size ||
+		if (doff > av_size ||
 				dcnt > av_size ||
-				ddisp+dcnt > av_size ||
-				ddisp+dcnt < ddisp) {
+				doff+dcnt > av_size ||
+				doff+dcnt < doff) {
 			goto bad_param;
 		}
 
--- a/source/smbd/trans2.c	
+++ a/source/smbd/trans2.c	
@@ -7785,10 +7785,10 @@ void reply_transs2(struct smb_request *req)
 			goto bad_param;
 		}
 
-		if (ddisp > av_size ||
+		if (doff > av_size ||
 				dcnt > av_size ||
-				ddisp+dcnt > av_size ||
-				ddisp+dcnt < ddisp) {
+				doff+dcnt > av_size ||
+				doff+dcnt < doff) {
 			goto bad_param;
 		}
 
--