The Samba-Bugzilla – Attachment 16398 Details for
Bug 14607
tree connect failed: NT_STATUS_INVALID_PARAMETER
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 4.13.next.
bug-14607-4.13 (text/plain), 21.02 KB, created by
Jeremy Allison
on 2021-01-15 20:08:34 UTC
(
hide
)
Description:
git-am fix for 4.13.next.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2021-01-15 20:08:34 UTC
Size:
21.02 KB
patch
obsolete
>From 8f18ecf67821f968e6d413f3041dab3779b041a0 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 11 Jan 2021 10:01:39 +0100 >Subject: [PATCH 1/6] libcli/smb: Change some checks to SMB_ASSERTS > >If we end up here, it's definitely a programming error in the basic >parsing layer of the SMB2 packet. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Volker Lendecke <vl@samba.org> >(cherry picked from commit fdcdfceefdd3186ef0b70bb6e83dddc8f4c073db) >--- > libcli/smb/smb2_signing.c | 9 ++------- > 1 file changed, 2 insertions(+), 7 deletions(-) > >diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c >index cc03607d789..230475480c2 100644 >--- a/libcli/smb/smb2_signing.c >+++ b/libcli/smb/smb2_signing.c >@@ -189,13 +189,8 @@ NTSTATUS smb2_signing_check_pdu(struct smb2_signing_key *signing_key, > static const uint8_t zero_sig[16] = { 0, }; > int i; > >- if (count < 2) { >- return NT_STATUS_INVALID_PARAMETER; >- } >- >- if (vector[0].iov_len != SMB2_HDR_BODY) { >- return NT_STATUS_INVALID_PARAMETER; >- } >+ SMB_ASSERT(count >= 2); >+ SMB_ASSERT(vector[0].iov_len == SMB2_HDR_BODY); > > hdr = (const uint8_t *)vector[0].iov_base; > >-- >2.27.0 > > >From 51ab77c50034e017ae7c2c71bf08f1a22a223534 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Wed, 6 Jan 2021 09:03:05 -0800 >Subject: [PATCH 2/6] libcli/smb: Allow smb2cli_validate_negotiate_info_done() > to ignore NT_STATUS_INVALID_PARAMETER. > >This can be returned from NetApp Ontap 7.3.7 SMB server >implementations. Now we have ensured smb2_signing_check_pdu() >cannot return NT_STATUS_INVALID_PARAMETER on a signing error >it's safe to check this error code here. Windows 10 >clients ignore this error from the NetApp. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 0abb5ca6b96c843909dea56d5594e334547ae90f) >--- > libcli/smb/smbXcli_base.c | 25 +++++++++++++++++++++++++ > 1 file changed, 25 insertions(+) > >diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c >index 7d2da4b9ebc..4909797543c 100644 >--- a/libcli/smb/smbXcli_base.c >+++ b/libcli/smb/smbXcli_base.c >@@ -5420,6 +5420,18 @@ static void smb2cli_validate_negotiate_info_done(struct tevent_req *subreq) > &state->out_input_buffer, > &state->out_output_buffer); > TALLOC_FREE(subreq); >+ >+ /* >+ * This response must be signed correctly for >+ * these "normal" error codes to be processed. >+ * If the packet wasn't signed correctly we will get >+ * NT_STATUS_ACCESS_DENIED or NT_STATUS_HMAC_NOT_SUPPORTED, >+ * or NT_STATUS_INVALID_NETWORK_RESPONSE >+ * from smb2_signing_check_pdu(). >+ * >+ * We must never ignore the above errors here. >+ */ >+ > if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_CLOSED)) { > /* > * The response was signed, but not supported >@@ -5465,6 +5477,19 @@ static void smb2cli_validate_negotiate_info_done(struct tevent_req *subreq) > tevent_req_done(req); > return; > } >+ if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { >+ /* >+ * The response was signed, but not supported >+ * >+ * This might be returned by NetApp Ontap 7.3.7 SMB server >+ * implementations. >+ * >+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607 >+ * >+ */ >+ tevent_req_done(req); >+ return; >+ } > if (tevent_req_nterror(req, status)) { > return; > } >-- >2.27.0 > > >From f9352649280539aaad7d4bc1bdbd97c1a923383a Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 14 Jan 2021 17:27:21 +0100 >Subject: [PATCH 3/6] libcli/smb: split out smb2cli_ioctl_parse_buffer() > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607 > >Pair-Programmed-With: Volker Lendecke <vl@samba.org> > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Signed-off-by: Volker Lendecke <vl@samba.org> >(cherry picked from commit 508ed5b42c23f8b3d9730d838bd921cb73c61358) >--- > libcli/smb/smb2cli_ioctl.c | 190 +++++++++++++++++++++---------------- > 1 file changed, 110 insertions(+), 80 deletions(-) > >diff --git a/libcli/smb/smb2cli_ioctl.c b/libcli/smb/smb2cli_ioctl.c >index 2b572baeb23..6368bd31bc2 100644 >--- a/libcli/smb/smb2cli_ioctl.c >+++ b/libcli/smb/smb2cli_ioctl.c >@@ -160,6 +160,80 @@ struct tevent_req *smb2cli_ioctl_send(TALLOC_CTX *mem_ctx, > return req; > } > >+static NTSTATUS smb2cli_ioctl_parse_buffer(uint32_t dyn_offset, >+ const DATA_BLOB dyn_buffer, >+ uint32_t min_offset, >+ uint32_t buffer_offset, >+ uint32_t buffer_length, >+ uint32_t max_length, >+ uint32_t *next_offset, >+ DATA_BLOB *buffer) >+{ >+ uint32_t offset; >+ bool oob; >+ >+ *buffer = data_blob_null; >+ *next_offset = dyn_offset; >+ >+ if (buffer_offset == 0) { >+ /* >+ * If the offset is 0, we better ignore >+ * the buffer_length field. >+ */ >+ return NT_STATUS_OK; >+ } >+ >+ if (buffer_length == 0) { >+ /* >+ * If the length is 0, we better ignore >+ * the buffer_offset field. >+ */ >+ return NT_STATUS_OK; >+ } >+ >+ SMB_ASSERT(min_offset >= dyn_offset); >+ if (buffer_offset != min_offset) { >+ return NT_STATUS_INVALID_NETWORK_RESPONSE; >+ } >+ >+ /* >+ * Make [input|output]_buffer_offset relative to "dyn_buffer" >+ */ >+ offset = buffer_offset - dyn_offset; >+ oob = smb_buffer_oob(dyn_buffer.length, offset, buffer_length); >+ if (oob) { >+ return NT_STATUS_INVALID_NETWORK_RESPONSE; >+ } >+ >+ /* >+ * Give the caller a hint what we consumed, >+ * the caller may need to add possible padding. >+ */ >+ *next_offset = buffer_offset + buffer_length; >+ >+ if (max_length == 0) { >+ /* >+ * If max_input_length is 0 we ignore the >+ * input_buffer_length, because Windows 2008 echos the >+ * DCERPC request from the requested input_buffer to >+ * the response input_buffer. >+ * >+ * We just use the same logic also for max_output_length... >+ */ >+ buffer_length = 0; >+ } >+ >+ if (buffer_length > max_length) { >+ return NT_STATUS_INVALID_NETWORK_RESPONSE; >+ } >+ >+ *buffer = (DATA_BLOB) { >+ .data = dyn_buffer.data + offset, >+ .length = buffer_length, >+ }; >+ return NT_STATUS_OK; >+} >+ > static void smb2cli_ioctl_done(struct tevent_req *subreq) > { > struct tevent_req *req = >@@ -169,15 +243,19 @@ static void smb2cli_ioctl_done(struct tevent_req *subreq) > tevent_req_data(req, > struct smb2cli_ioctl_state); > NTSTATUS status; >+ NTSTATUS error; > struct iovec *iov; > uint8_t *fixed; >- uint8_t *dyn; >- size_t dyn_len; >+ DATA_BLOB dyn_buffer = data_blob_null; > uint32_t dyn_ofs = SMB2_HDR_BODY + 0x30; >+ uint32_t input_min_offset; > uint32_t input_buffer_offset; > uint32_t input_buffer_length; >+ uint32_t input_next_offset; >+ uint32_t output_min_offset; > uint32_t output_buffer_offset; > uint32_t output_buffer_length; >+ uint32_t output_next_offset; > static const struct smb2cli_req_expected_response expected[] = { > { > .status = NT_STATUS_OK, >@@ -247,92 +325,44 @@ static void smb2cli_ioctl_done(struct tevent_req *subreq) > > state->recv_iov = iov; > fixed = (uint8_t *)iov[1].iov_base; >- dyn = (uint8_t *)iov[2].iov_base; >- dyn_len = iov[2].iov_len; >+ dyn_buffer = data_blob_const((uint8_t *)iov[2].iov_base, >+ iov[2].iov_len); > > input_buffer_offset = IVAL(fixed, 0x18); > input_buffer_length = IVAL(fixed, 0x1C); > output_buffer_offset = IVAL(fixed, 0x20); > output_buffer_length = IVAL(fixed, 0x24); > >- if ((input_buffer_offset > 0) && (input_buffer_length > 0)) { >- uint32_t ofs; >- >- if (input_buffer_offset != dyn_ofs) { >- tevent_req_nterror( >- req, NT_STATUS_INVALID_NETWORK_RESPONSE); >- return; >- } >- >- ofs = input_buffer_length; >- ofs = NDR_ROUND(ofs, 8); >- >- if (state->max_input_length == 0) { >- /* >- * If max_input_length is 0 we ignore >- * the input_buffer_length, because >- * Windows 2008 echos the DCERPC request >- * from the requested input_buffer >- * to the response input_buffer. >- */ >- input_buffer_length = 0; >- } >- >- if (input_buffer_length > dyn_len) { >- tevent_req_nterror( >- req, NT_STATUS_INVALID_NETWORK_RESPONSE); >- return; >- } >- >- if (input_buffer_length > state->max_input_length) { >- tevent_req_nterror( >- req, NT_STATUS_INVALID_NETWORK_RESPONSE); >- return; >- } >- >- state->out_input_buffer.data = dyn; >- state->out_input_buffer.length = input_buffer_length; >- >- if (ofs > dyn_len) { >- tevent_req_nterror( >- req, NT_STATUS_INVALID_NETWORK_RESPONSE); >- return; >- } >- >- dyn_ofs += ofs; >- dyn += ofs; >- dyn_len -= ofs; >+ input_min_offset = dyn_ofs; >+ input_next_offset = dyn_ofs; >+ error = smb2cli_ioctl_parse_buffer(dyn_ofs, >+ dyn_buffer, >+ input_min_offset, >+ input_buffer_offset, >+ input_buffer_length, >+ state->max_input_length, >+ &input_next_offset, >+ &state->out_input_buffer); >+ if (tevent_req_nterror(req, error)) { >+ return; > } > >- if ((output_buffer_offset > 0) && (output_buffer_length > 0)) { >- if (output_buffer_offset != dyn_ofs) { >- tevent_req_nterror( >- req, NT_STATUS_INVALID_NETWORK_RESPONSE); >- return; >- } >- >- if (state->max_output_length == 0) { >- /* >- * We do the same logic as for >- * max_input_length. >- */ >- output_buffer_length = 0; >- } >- >- if (output_buffer_length > dyn_len) { >- tevent_req_nterror( >- req, NT_STATUS_INVALID_NETWORK_RESPONSE); >- return; >- } >- >- if (output_buffer_length > state->max_output_length) { >- tevent_req_nterror( >- req, NT_STATUS_INVALID_NETWORK_RESPONSE); >- return; >- } >- >- state->out_output_buffer.data = dyn; >- state->out_output_buffer.length = output_buffer_length; >+ /* >+ * If output data is returned, the output offset MUST be set to >+ * InputOffset + InputCount rounded up to a multiple of 8. >+ */ >+ output_min_offset = NDR_ROUND(input_next_offset, 8); >+ output_next_offset = 0; /* this variable is completely ignored */ >+ error = smb2cli_ioctl_parse_buffer(dyn_ofs, >+ dyn_buffer, >+ output_min_offset, >+ output_buffer_offset, >+ output_buffer_length, >+ state->max_output_length, >+ &output_next_offset, >+ &state->out_output_buffer); >+ if (tevent_req_nterror(req, error)) { >+ return; > } > > state->out_valid = true; >-- >2.27.0 > > >From 2bac28d4841b02f4253afed43c0f1392957cd869 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 14 Jan 2021 17:39:18 +0100 >Subject: [PATCH 4/6] s4:torture/smb2: add samba3.smb2.ioctl.bug14607 > >FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8 will be used >to trigger an SMB2 IOCTL response with extra padding. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Volker Lendecke <vl@samba.org> >(cherry picked from commit 3db566026bcc0bff87acae762211e1c49220dc82) >--- > libcli/smb/smb_constants.h | 2 ++ > source4/torture/smb2/ioctl.c | 53 ++++++++++++++++++++++++++++++++++++ > 2 files changed, 55 insertions(+) > >diff --git a/libcli/smb/smb_constants.h b/libcli/smb/smb_constants.h >index b424b13cde4..d2345f094e1 100644 >--- a/libcli/smb/smb_constants.h >+++ b/libcli/smb/smb_constants.h >@@ -589,6 +589,8 @@ enum csc_policy { > #define FSCTL_SMBTORTURE 0x83840000 > #define FSCTL_SMBTORTURE_FORCE_UNACKED_TIMEOUT \ > (FSCTL_SMBTORTURE | FSCTL_ACCESS_WRITE | 0x0000 | FSCTL_METHOD_NEITHER) >+#define FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8 \ >+ (FSCTL_SMBTORTURE | FSCTL_ACCESS_WRITE | 0x0010 | FSCTL_METHOD_NEITHER) > > /* > * A few values from [MS-FSCC] 2.1.2.1 Reparse Tags >diff --git a/source4/torture/smb2/ioctl.c b/source4/torture/smb2/ioctl.c >index eed81d1f598..1de5179e336 100644 >--- a/source4/torture/smb2/ioctl.c >+++ b/source4/torture/smb2/ioctl.c >@@ -6794,6 +6794,57 @@ static bool test_ioctl_dup_extents_dest_lck(struct torture_context *tctx, > return true; > } > >+/* >+ basic regression test for BUG 14607 >+ https://bugzilla.samba.org/show_bug.cgi?id=14607 >+*/ >+static bool test_ioctl_bug14607(struct torture_context *torture, >+ struct smb2_tree *tree) >+{ >+ TALLOC_CTX *tmp_ctx = talloc_new(tree); >+ uint32_t timeout_msec; >+ NTSTATUS status; >+ DATA_BLOB out_input_buffer = data_blob_null; >+ DATA_BLOB out_output_buffer = data_blob_null; >+ >+ timeout_msec = tree->session->transport->options.request_timeout * 1000; >+ >+ status = smb2cli_ioctl(tree->session->transport->conn, >+ timeout_msec, >+ tree->session->smbXcli, >+ tree->smbXcli, >+ UINT64_MAX, /* in_fid_persistent */ >+ UINT64_MAX, /* in_fid_volatile */ >+ FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8, >+ 0, /* in_max_input_length */ >+ NULL, /* in_input_buffer */ >+ 1, /* in_max_output_length */ >+ NULL, /* in_output_buffer */ >+ SMB2_IOCTL_FLAG_IS_FSCTL, >+ tmp_ctx, >+ &out_input_buffer, >+ &out_output_buffer); >+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED) || >+ NT_STATUS_EQUAL(status, NT_STATUS_FILE_CLOSED) || >+ NT_STATUS_EQUAL(status, NT_STATUS_FS_DRIVER_REQUIRED) || >+ NT_STATUS_EQUAL(status, NT_STATUS_INVALID_DEVICE_REQUEST)) >+ { >+ torture_comment(torture, >+ "FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8: %s\n", >+ nt_errstr(status)); >+ torture_skip(torture, "server doesn't support FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8\n"); >+ } >+ torture_assert_ntstatus_ok(torture, status, "FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8"); >+ >+ torture_assert_int_equal(torture, out_output_buffer.length, 1, >+ "output length"); >+ torture_assert_int_equal(torture, out_output_buffer.data[0], 8, >+ "output buffer byte should be 8"); >+ >+ talloc_free(tmp_ctx); >+ return true; >+} >+ > /* > * testing of SMB2 ioctls > */ >@@ -6939,6 +6990,8 @@ struct torture_suite *torture_smb2_ioctl_init(TALLOC_CTX *ctx) > test_ioctl_dup_extents_src_lck); > torture_suite_add_1smb2_test(suite, "dup_extents_dest_lock", > test_ioctl_dup_extents_dest_lck); >+ torture_suite_add_1smb2_test(suite, "bug14607", >+ test_ioctl_bug14607); > > suite->description = talloc_strdup(suite, "SMB2-IOCTL tests"); > >-- >2.27.0 > > >From dadf9b9530e593590c22ad6a11ecf7bbb7b0d5d9 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 14 Jan 2021 17:39:01 +0100 >Subject: [PATCH 5/6] smbd: implement > FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8 as reproducer for bug 14607 > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Volker Lendecke <vl@samba.org> >(cherry picked from commit 39c0d2b666a6ddac7cd3b29fe76be7375690b27b) >--- > .../knownfail.d/samba3.smb2.ioctl.bug14607 | 1 + > source3/smbd/smb2_ioctl.c | 41 +++++++++++++++++-- > source3/smbd/smb2_ioctl_private.h | 1 + > 3 files changed, 40 insertions(+), 3 deletions(-) > create mode 100644 selftest/knownfail.d/samba3.smb2.ioctl.bug14607 > >diff --git a/selftest/knownfail.d/samba3.smb2.ioctl.bug14607 b/selftest/knownfail.d/samba3.smb2.ioctl.bug14607 >new file mode 100644 >index 00000000000..c535a8a2723 >--- /dev/null >+++ b/selftest/knownfail.d/samba3.smb2.ioctl.bug14607 >@@ -0,0 +1 @@ >+^samba3.smb2.ioctl.*bug14607.nt4_dc >diff --git a/source3/smbd/smb2_ioctl.c b/source3/smbd/smb2_ioctl.c >index 01ae6d64ac5..8b65a691638 100644 >--- a/source3/smbd/smb2_ioctl.c >+++ b/source3/smbd/smb2_ioctl.c >@@ -41,6 +41,7 @@ static struct tevent_req *smbd_smb2_ioctl_send(TALLOC_CTX *mem_ctx, > static NTSTATUS smbd_smb2_ioctl_recv(struct tevent_req *req, > TALLOC_CTX *mem_ctx, > DATA_BLOB *out_output, >+ uint8_t *body_padding, > bool *disconnect); > > static void smbd_smb2_request_ioctl_done(struct tevent_req *subreq); >@@ -195,6 +196,7 @@ NTSTATUS smbd_smb2_request_process_ioctl(struct smbd_smb2_request *req) > case FSCTL_VALIDATE_NEGOTIATE_INFO: > case FSCTL_QUERY_NETWORK_INTERFACE_INFO: > case FSCTL_SMBTORTURE_FORCE_UNACKED_TIMEOUT: >+ case FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8: > /* > * Some SMB2 specific CtlCodes like FSCTL_DFS_GET_REFERRALS or > * FSCTL_PIPE_WAIT does not take a file handle. >@@ -284,9 +286,12 @@ static void smbd_smb2_request_ioctl_done(struct tevent_req *subreq) > NTSTATUS status; > NTSTATUS error; /* transport error */ > bool disconnect = false; >+ uint16_t body_size; >+ uint8_t body_padding = 0; > > status = smbd_smb2_ioctl_recv(subreq, req, > &out_output_buffer, >+ &body_padding, > &disconnect); > > DEBUG(10,("smbd_smb2_request_ioctl_done: smbd_smb2_ioctl_recv returned " >@@ -319,10 +324,15 @@ static void smbd_smb2_request_ioctl_done(struct tevent_req *subreq) > return; > } > >- out_input_offset = SMB2_HDR_BODY + 0x30; >- out_output_offset = SMB2_HDR_BODY + 0x30; >+ /* >+ * Only FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8 >+ * sets body_padding to a value different from 0. >+ */ >+ body_size = 0x30 + body_padding; >+ out_input_offset = SMB2_HDR_BODY + body_size; >+ out_output_offset = SMB2_HDR_BODY + body_size; > >- outbody = smbd_smb2_generate_outbody(req, 0x30); >+ outbody = smbd_smb2_generate_outbody(req, body_size); > if (outbody.data == NULL) { > error = smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY); > if (!NT_STATUS_IS_OK(error)) { >@@ -350,6 +360,9 @@ static void smbd_smb2_request_ioctl_done(struct tevent_req *subreq) > out_output_buffer.length); /* output count */ > SIVAL(outbody.data, 0x28, 0); /* flags */ > SIVAL(outbody.data, 0x2C, 0); /* reserved */ >+ if (body_padding != 0) { >+ memset(outbody.data + 0x30, 0, body_padding); >+ } > > /* > * Note: Windows Vista and 2008 send back also the >@@ -391,6 +404,26 @@ static struct tevent_req *smb2_ioctl_smbtorture(uint32_t ctl_code, > tevent_req_done(req); > return tevent_req_post(req, ev); > >+ case FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8: >+ if (state->in_input.length != 0) { >+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); >+ return tevent_req_post(req, ev); >+ } >+ >+ if (state->in_max_output > 0) { >+ uint32_t size = state->in_max_output; >+ >+ state->out_output = data_blob_talloc(state, NULL, size); >+ if (tevent_req_nomem(state->out_output.data, req)) { >+ return tevent_req_post(req, ev); >+ } >+ memset(state->out_output.data, 8, size); >+ } >+ >+ state->body_padding = 8; >+ tevent_req_done(req); >+ return tevent_req_post(req, ev); >+ > default: > goto not_supported; > } >@@ -476,6 +509,7 @@ static struct tevent_req *smbd_smb2_ioctl_send(TALLOC_CTX *mem_ctx, > static NTSTATUS smbd_smb2_ioctl_recv(struct tevent_req *req, > TALLOC_CTX *mem_ctx, > DATA_BLOB *out_output, >+ uint8_t *body_padding, > bool *disconnect) > { > NTSTATUS status = NT_STATUS_OK; >@@ -484,6 +518,7 @@ static NTSTATUS smbd_smb2_ioctl_recv(struct tevent_req *req, > enum tevent_req_state req_state; > uint64_t err; > >+ *body_padding = state->body_padding; > *disconnect = state->disconnect; > > if ((tevent_req_is_error(req, &req_state, &err) == false) >diff --git a/source3/smbd/smb2_ioctl_private.h b/source3/smbd/smb2_ioctl_private.h >index ae07fed8606..7a35f8f5d0b 100644 >--- a/source3/smbd/smb2_ioctl_private.h >+++ b/source3/smbd/smb2_ioctl_private.h >@@ -28,6 +28,7 @@ struct smbd_smb2_ioctl_state { > DATA_BLOB in_input; > uint32_t in_max_output; > DATA_BLOB out_output; >+ uint8_t body_padding; > bool disconnect; > }; > >-- >2.27.0 > > >From ac4f2bb2a109399e1a247755bc78efc1e925998b Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 14 Jan 2021 17:32:15 +0100 >Subject: [PATCH 6/6] libcli/smb: allow unexpected padding in SMB2 IOCTL > responses > >A NetApp Ontap 7.3.7 SMB server add 8 padding bytes to an >offset that's already 8 byte aligned. > >RN: Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607 > >Pair-Programmed-With: Volker Lendecke <vl@samba.org> > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Signed-off-by: Volker Lendecke <vl@samba.org> > >Autobuild-User(master): Volker Lendecke <vl@samba.org> >Autobuild-Date(master): Fri Jan 15 08:36:34 UTC 2021 on sn-devel-184 > >(cherry picked from commit 4c6c71e1378401d66bf2ed230544a75f7b04376f) >--- > libcli/smb/smb2cli_ioctl.c | 19 ++++++++++++++++++- > .../knownfail.d/samba3.smb2.ioctl.bug14607 | 1 - > 2 files changed, 18 insertions(+), 2 deletions(-) > delete mode 100644 selftest/knownfail.d/samba3.smb2.ioctl.bug14607 > >diff --git a/libcli/smb/smb2cli_ioctl.c b/libcli/smb/smb2cli_ioctl.c >index 6368bd31bc2..f9abcc57bab 100644 >--- a/libcli/smb/smb2cli_ioctl.c >+++ b/libcli/smb/smb2cli_ioctl.c >@@ -191,8 +191,25 @@ static NTSTATUS smb2cli_ioctl_parse_buffer(uint32_t dyn_offset, > return NT_STATUS_OK; > } > >+ if ((buffer_offset % 8) != 0) { >+ /* >+ * The offset needs to be 8 byte aligned. >+ */ >+ return NT_STATUS_INVALID_NETWORK_RESPONSE; >+ } >+ >+ /* >+ * We used to enforce buffer_offset to be >+ * an exact match of the expected minimum, >+ * but the NetApp Ontap 7.3.7 SMB server >+ * gets the padding wrong and aligns the >+ * input_buffer_offset by a value of 8. >+ * >+ * So we just enforce that the offset is >+ * not lower than the expected value. >+ */ > SMB_ASSERT(min_offset >= dyn_offset); >- if (buffer_offset != min_offset) { >+ if (buffer_offset < min_offset) { > return NT_STATUS_INVALID_NETWORK_RESPONSE; > } > >diff --git a/selftest/knownfail.d/samba3.smb2.ioctl.bug14607 b/selftest/knownfail.d/samba3.smb2.ioctl.bug14607 >deleted file mode 100644 >index c535a8a2723..00000000000 >--- a/selftest/knownfail.d/samba3.smb2.ioctl.bug14607 >+++ /dev/null >@@ -1 +0,0 @@ >-^samba3.smb2.ioctl.*bug14607.nt4_dc >-- >2.27.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
metze
:
review+
Actions:
View
Attachments on
bug 14607
:
16374
|
16376
|
16377
| 16398 |
16399
|
16683
|
16684
|
16685
|
16686