From 5c0ad49b380fe7d07810beebeac4171f0522a8d3 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 28 Jan 2015 15:22:30 +0100 Subject: [PATCH 1/2] s3:smb2_server: always try to grant the credits the client just consumed It turns out that the effective credits_requested is always at least 1, even if the client sends credits_requested == 0. This means the client is not able to reduce the amount of credits itself. Without this fix a client (e.g. Windows7) would reach the case where it has been granted all credits it asked for. When copying a large file with a lot of parallel requests, all these requests have credits_requested == 0. This means the amount of granted credits where reduced by each request and only when the granted credits reached 0, the server granted one credit to allow the client to go on. The client might require more than one credit ([MS-SMB2] says Windows clients require at least 4 credits) and freezes with just 1 credit. Bug: https://bugzilla.samba.org/show_bug.cgi?id=9702 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Reviewed-by: Jeremy Allison (similar to commit 1944c857e59922a2ebfc88a6a824a6ed9396f2d5) --- source3/smbd/smb2_server.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index d0dec0f..5d2aeb1 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -777,6 +777,7 @@ static void smb2_set_operation_credit(struct smbd_server_connection *sconn, cmd = SVAL(inhdr, SMB2_HDR_OPCODE); credits_requested = SVAL(inhdr, SMB2_HDR_CREDIT); + credits_requested = MAX(credits_requested, 1); out_flags = IVAL(outhdr, SMB2_HDR_FLAGS); out_status = NT_STATUS(IVAL(outhdr, SMB2_HDR_STATUS)); @@ -795,7 +796,7 @@ static void smb2_set_operation_credit(struct smbd_server_connection *sconn, * credits on the final response. */ credits_granted = 0; - } else if (credits_requested > 0) { + } else { uint16_t additional_max = 0; uint16_t additional_credits = credits_requested - 1; @@ -824,11 +825,6 @@ static void smb2_set_operation_credit(struct smbd_server_connection *sconn, additional_credits = MIN(additional_credits, additional_max); credits_granted = credit_charge + additional_credits; - } else if (sconn->smb2.credits_granted == 0) { - /* - * Make sure the client has always at least one credit - */ - credits_granted = 1; } /* -- 1.9.1 From a85b205e030b099a5505081de50c5cb4e915e340 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 29 Jan 2015 10:12:30 +0100 Subject: [PATCH 2/2] s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535" Bug: https://bugzilla.samba.org/show_bug.cgi?id=9702 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Jan 29 14:58:40 CET 2015 on sn-devel-104 (similar to commit 8aed0fc38ae28cce7fd1a443844a865265fc719c) --- source3/smbd/smb2_server.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index 5d2aeb1..98c6e58 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -797,6 +797,8 @@ static void smb2_set_operation_credit(struct smbd_server_connection *sconn, */ credits_granted = 0; } else { + uint16_t additional_possible = + sconn->smb2.max_credits - credit_charge; uint16_t additional_max = 0; uint16_t additional_credits = credits_requested - 1; @@ -822,6 +824,7 @@ static void smb2_set_operation_credit(struct smbd_server_connection *sconn, break; } + additional_max = MIN(additional_max, additional_possible); additional_credits = MIN(additional_credits, additional_max); credits_granted = credit_charge + additional_credits; -- 1.9.1