[Pkg-samba-maint] [samba] 14/29: libcli/smb: fix smb2cli_ioctl*() against Windows 2008.

Jelmer Vernooij jelmer at moszumanska.debian.org
Fri Dec 6 23:16:45 UTC 2013 

This is an automated email from the git hooks/post-receive script.

jelmer pushed a commit to branch samba_4.1
in repository samba.

commit 8db5eccaf25ae3d6c047ad642370ed154b0fddc7
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Oct 28 15:43:03 2013 +0100

    libcli/smb: fix smb2cli_ioctl*() against Windows 2008.
    
    The subsections of [MS-SMB2] "3.2.5.14 Receiving an SMB2 IOCTL Response"
    say the client should ignore the InputOffset/InputCount.
    
    We do that only if we ask for max_input_length = 0.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=10232
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Thu Oct 31 01:16:10 CET 2013 on sn-devel-104
    (cherry picked from commit 127fc670a39d15eaa3869045fca0287ba7df9efa)
---
 libcli/smb/smb2cli_ioctl.c | 33 +++++++++++++++++++++++++++++----
 1 file changed, 29 insertions(+), 4 deletions(-)

diff --git a/libcli/smb/smb2cli_ioctl.c b/libcli/smb/smb2cli_ioctl.c
index 8de7635..3090693 100644
--- a/libcli/smb/smb2cli_ioctl.c
+++ b/libcli/smb/smb2cli_ioctl.c
@@ -213,7 +213,21 @@ static void smb2cli_ioctl_done(struct tevent_req *subreq)
 			return;
 		}
 
-		if (input_buffer_length < dyn_len) {
+		ofs = input_buffer_length;
+		ofs = NDR_ROUND(ofs, 8);
+
+		if (state->max_input_length == 0) {
+			/*
+			 * If max_input_length is 0 we ignore
+			 * the input_buffer_length, because
+			 * Windows 2008 echos the DCERPC request
+			 * from the requested input_buffer
+			 * to the response input_buffer.
+			 */
+			input_buffer_length = 0;
+		}
+
+		if (input_buffer_length > dyn_len) {
 			tevent_req_nterror(
 				req, NT_STATUS_INVALID_NETWORK_RESPONSE);
 			return;
@@ -228,8 +242,11 @@ static void smb2cli_ioctl_done(struct tevent_req *subreq)
 		state->out_input_buffer.data = dyn;
 		state->out_input_buffer.length = input_buffer_length;
 
-		ofs = input_buffer_length;
-		ofs = NDR_ROUND(ofs, 8);
+		if (ofs > dyn_len) {
+			tevent_req_nterror(
+				req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+			return;
+		}
 
 		dyn_ofs += ofs;
 		dyn += ofs;
@@ -243,7 +260,15 @@ static void smb2cli_ioctl_done(struct tevent_req *subreq)
 			return;
 		}
 
-		if (output_buffer_length < dyn_len) {
+		if (state->max_output_length == 0) {
+			/*
+			 * We do the same logic as for
+			 * max_input_length.
+			 */
+			output_buffer_length = 0;
+		}
+
+		if (output_buffer_length > dyn_len) {
 			tevent_req_nterror(
 				req, NT_STATUS_INVALID_NETWORK_RESPONSE);
 			return;

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git

More information about the Pkg-samba-maint mailing list