From bc83e494f8edef1dc347ef9af7a8b9e43ac4b474 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 28 Jan 2015 15:22:30 +0100 Subject: [PATCH 1/2] s3:smb2_server: always try to grant the credits the client just consumed It turns out that the effective credits_requested is always at least 1, even if the client sends credits_requested == 0. This means the client is not able to reduce the amount of credits itself. Without this fix a client (e.g. Windows7) would reach the case where it has been granted all credits it asked for. When copying a large file with a lot of parallel requests, all these requests have credits_requested == 0. This means the amount of granted credits where reduced by each request and only when the granted credits reached 0, the server granted one credit to allow the client to go on. The client might require more than one credit ([MS-SMB2] says Windows clients require at least 4 credits) and freezes with just 1 credit. Bug: https://bugzilla.samba.org/show_bug.cgi?id=9702 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit 1944c857e59922a2ebfc88a6a824a6ed9396f2d5) --- source3/smbd/smb2_server.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index 39155b8..d131ff5 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -802,6 +802,7 @@ static void smb2_set_operation_credit(struct smbXsrv_connection *xconn, cmd = SVAL(inhdr, SMB2_HDR_OPCODE); credits_requested = SVAL(inhdr, SMB2_HDR_CREDIT); + credits_requested = MAX(credits_requested, 1); out_flags = IVAL(outhdr, SMB2_HDR_FLAGS); out_status = NT_STATUS(IVAL(outhdr, SMB2_HDR_STATUS)); @@ -820,7 +821,7 @@ static void smb2_set_operation_credit(struct smbXsrv_connection *xconn, * credits on the final response. */ credits_granted = 0; - } else if (credits_requested > 0) { + } else { uint16_t additional_max = 0; uint16_t additional_credits = credits_requested - 1; @@ -849,11 +850,6 @@ static void smb2_set_operation_credit(struct smbXsrv_connection *xconn, additional_credits = MIN(additional_credits, additional_max); credits_granted = credit_charge + additional_credits; - } else if (xconn->smb2.credits.granted == 0) { - /* - * Make sure the client has always at least one credit - */ - credits_granted = 1; } /* -- 1.9.1 From 1543c5b4b48ff9563b60a046779d27df1c4b8d18 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 29 Jan 2015 10:12:30 +0100 Subject: [PATCH 2/2] s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535" Bug: https://bugzilla.samba.org/show_bug.cgi?id=9702 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Jan 29 14:58:40 CET 2015 on sn-devel-104 (cherry picked from commit 8aed0fc38ae28cce7fd1a443844a865265fc719c) --- source3/smbd/smb2_server.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index d131ff5..ea2ce7f 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -822,6 +822,8 @@ static void smb2_set_operation_credit(struct smbXsrv_connection *xconn, */ credits_granted = 0; } else { + uint16_t additional_possible = + xconn->smb2.credits.max - credit_charge; uint16_t additional_max = 0; uint16_t additional_credits = credits_requested - 1; @@ -847,6 +849,7 @@ static void smb2_set_operation_credit(struct smbXsrv_connection *xconn, break; } + additional_max = MIN(additional_max, additional_possible); additional_credits = MIN(additional_credits, additional_max); credits_granted = credit_charge + additional_credits; -- 1.9.1