From 8fd9fe309c8ce7020fe26e2dda42efbdb9d9249e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 28 Jan 2015 15:22:30 +0100 Subject: [PATCH 1/2] s3:smb2_server: always try to grant the credits the client just consumed It turns out that the effective credits_requested is always at least 1, even if the client sends credits_requested == 0. This means the client is not able to reduce the amount of credits itself. Without this fix a client (e.g. Windows7) would reach the case where it has been granted all credits it asked for. When copying a large file with a lot of parallel requests, all these requests have credits_requested == 0. This means the amount of granted credits where reduced by each request and only when the granted credits reached 0, the server granted one credit to allow the client to go on. The client might require more than one credit ([MS-SMB2] says Windows clients require at least 4 credits) and freezes with just 1 credit. Bug: https://bugzilla.samba.org/show_bug.cgi?id=9702 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Reviewed-by: Jeremy Allison (similar to commit 1944c857e59922a2ebfc88a6a824a6ed9396f2d5) --- source3/smbd/smb2_server.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index f7798fa..fb99f8d 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -777,6 +777,7 @@ static void smb2_set_operation_credit(struct smbd_server_connection *sconn, cmd = SVAL(inhdr, SMB2_HDR_OPCODE); credits_requested = SVAL(inhdr, SMB2_HDR_CREDIT); + credits_requested = MAX(credits_requested, 1); out_flags = IVAL(outhdr, SMB2_HDR_FLAGS); out_status = NT_STATUS(IVAL(outhdr, SMB2_HDR_STATUS)); @@ -795,7 +796,7 @@ static void smb2_set_operation_credit(struct smbd_server_connection *sconn, * credits on the final response. */ credits_granted = 0; - } else if (credits_requested > 0) { + } else { uint16_t additional_max = 0; uint16_t additional_credits = credits_requested - 1; @@ -824,11 +825,6 @@ static void smb2_set_operation_credit(struct smbd_server_connection *sconn, additional_credits = MIN(additional_credits, additional_max); credits_granted = credit_charge + additional_credits; - } else if (sconn->smb2.credits_granted == 0) { - /* - * Make sure the client has always at least one credit - */ - credits_granted = 1; } /* -- 1.9.1 From 51dbc58dd2c36f50d4156305cc77ddbf60e2e15b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 29 Jan 2015 10:12:30 +0100 Subject: [PATCH 2/2] s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535" Bug: https://bugzilla.samba.org/show_bug.cgi?id=9702 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Jan 29 14:58:40 CET 2015 on sn-devel-104 (similar to commit 8aed0fc38ae28cce7fd1a443844a865265fc719c) --- source3/smbd/smb2_server.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index fb99f8d..4f3fa15 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -797,6 +797,8 @@ static void smb2_set_operation_credit(struct smbd_server_connection *sconn, */ credits_granted = 0; } else { + uint16_t additional_possible = + sconn->smb2.max_credits - credit_charge; uint16_t additional_max = 0; uint16_t additional_credits = credits_requested - 1; @@ -822,6 +824,7 @@ static void smb2_set_operation_credit(struct smbd_server_connection *sconn, break; } + additional_max = MIN(additional_max, additional_possible); additional_credits = MIN(additional_credits, additional_max); credits_granted = credit_charge + additional_credits; -- 1.9.1