--- a/usr/src/uts/common/fs/smbsrv/smb_dispatch.c	Fri Nov 11 21:55:53 2011 -0500
+++ b/usr/src/uts/common/fs/smbsrv/smb_dispatch.c	Fri Nov 11 21:50:53 2011 -0500
@@ -20,6 +20,7 @@
  */
 
 /*
+ * Copyright 2011 Nexenta Systems, Inc.  All rights reserved.
  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
  */
 
@@ -523,6 +524,7 @@
 	smb_session_t		*session;
 	uint32_t		capabilities;
 	uint32_t		byte_count;
+	uint32_t		max_bytes;
 
 	session = sr->session;
 	capabilities = session->capabilities;
@@ -624,12 +626,18 @@
 	 * and this is SmbReadX/SmbWriteX since this enables
 	 * large reads/write and bcc is only 16-bits.
 	 */
+	max_bytes = sr->command.max_bytes - sr->command.chain_offset;
 	if (((sr->smb_com == SMB_COM_READ_ANDX) &&
 	    (capabilities & CAP_LARGE_READX)) ||
 	    ((sr->smb_com == SMB_COM_WRITE_ANDX) &&
 	    (capabilities & CAP_LARGE_WRITEX))) {
-		byte_count = sr->command.max_bytes - sr->command.chain_offset;
+		/* May be > BCC */
+		byte_count = max_bytes;
+	} else if (max_bytes < (uint32_t)sr->smb_bcc) {
+		/* BCC is bogus.  Will fail later. */
+		byte_count = max_bytes;
 	} else {
+		/* ordinary case */
 		byte_count = (uint32_t)sr->smb_bcc;
 	}
 

--- a/usr/src/uts/common/fs/smbsrv/smb_nt_transact_notify_change.c	Fri Nov 11 21:55:53 2011 -0500
+++ b/usr/src/uts/common/fs/smbsrv/smb_nt_transact_notify_change.c	Fri Nov 11 21:50:53 2011 -0500
@@ -20,6 +20,7 @@
  */
 
 /*
+ * Copyright 2011 Nexenta Systems, Inc.  All rights reserved.
  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
  */
 
@@ -201,7 +202,7 @@
 
 	node = sr->fid_ofile->f_node;
 
-	if (!smb_node_is_dir(node)) {
+	if (node == NULL || !smb_node_is_dir(node)) {
 		/*
 		 * Notify change requests are only valid on directories.
 		 */

--- a/usr/src/uts/common/fs/smbsrv/smb_session.c	Fri Nov 11 21:55:53 2011 -0500
+++ b/usr/src/uts/common/fs/smbsrv/smb_session.c	Fri Nov 11 21:50:53 2011 -0500
@@ -19,6 +19,7 @@
  * CDDL HEADER END
  */
 /*
+ * Copyright 2011 Nexenta Systems, Inc.  All rights reserved.
  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
  */
 #include <sys/atomic.h>
@@ -367,6 +368,7 @@
 	mutex_enter(&sr->sr_mutex);
 	switch (sr->sr_state) {
 
+	case SMB_REQ_STATE_INITIALIZING:
 	case SMB_REQ_STATE_SUBMITTED:
 	case SMB_REQ_STATE_ACTIVE:
 	case SMB_REQ_STATE_CLEANED_UP:
@@ -404,11 +406,8 @@
 		 * is completing.
 		 */
 		break;
-	/*
-	 * Cases included:
-	 *	SMB_REQ_STATE_FREE:
-	 *	SMB_REQ_STATE_INITIALIZING:
-	 */
+
+	case SMB_REQ_STATE_FREE:
 	default:
 		SMB_PANIC();
 	}

--- a/usr/src/uts/common/fs/smbsrv/smb_write.c	Fri Nov 11 21:55:53 2011 -0500
+++ b/usr/src/uts/common/fs/smbsrv/smb_write.c	Fri Nov 11 21:50:53 2011 -0500
@@ -20,6 +20,7 @@
  */
 
 /*
+ * Copyright 2011 Nexenta Systems, Inc.  All rights reserved.
  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
  */
 
@@ -29,14 +30,6 @@
 #include <smbsrv/netbios.h>
 
 
-/*
- * The limit in bytes that the marshalling will grow the buffer
- * chain to accomodate incoming data on SmbWriteX requests.
- * This sets the upper limit for the data-count per SmbWriteX
- * request.
- */
-#define	SMB_WRITEX_MAX		102400
-
 static int smb_write_truncate(smb_request_t *, smb_rw_param_t *);
 
 
@@ -418,7 +411,6 @@
 		return (SDRC_ERROR);
 	}
 
-	sr->smb_data.max_bytes = SMB_WRITEX_MAX;
 	rc = smbsr_decode_data(sr, "#.#B", param->rw_dsoff, param->rw_count,
 	    &param->rw_vdb);