Attachment 16398 Details for Bug 14607 – git-am fix for 4.13.next.

[patch] git-am fix for 4.13.next.

bug-14607-4.13 (text/plain), 21.02 KB, created by Jeremy Allison on 2021-01-15 20:08:34 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Jeremy Allison

Created: 2021-01-15 20:08:34 UTC

Size: 21.02 KB

patch

obsolete

>From 8f18ecf67821f968e6d413f3041dab3779b041a0 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Mon, 11 Jan 2021 10:01:39 +0100
>Subject: [PATCH 1/6] libcli/smb: Change some checks to SMB_ASSERTS
>
>If we end up here, it's definitely a programming error in the basic
>parsing layer of the SMB2 packet.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>Reviewed-by: Volker Lendecke <vl@samba.org>
>(cherry picked from commit fdcdfceefdd3186ef0b70bb6e83dddc8f4c073db)
>---
> libcli/smb/smb2_signing.c | 9 ++-------
> 1 file changed, 2 insertions(+), 7 deletions(-)
>
>diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c
>index cc03607d789..230475480c2 100644
>--- a/libcli/smb/smb2_signing.c
>+++ b/libcli/smb/smb2_signing.c
>@@ -189,13 +189,8 @@ NTSTATUS smb2_signing_check_pdu(struct smb2_signing_key *signing_key,
> 	static const uint8_t zero_sig[16] = { 0, };
> 	int i;
> 
>-	if (count < 2) {
>-		return NT_STATUS_INVALID_PARAMETER;
>-	}
>-
>-	if (vector[0].iov_len != SMB2_HDR_BODY) {
>-		return NT_STATUS_INVALID_PARAMETER;
>-	}
>+	SMB_ASSERT(count >= 2);
>+	SMB_ASSERT(vector[0].iov_len == SMB2_HDR_BODY);
> 
> 	hdr = (const uint8_t *)vector[0].iov_base;
> 
>-- 
>2.27.0
>
>
>From 51ab77c50034e017ae7c2c71bf08f1a22a223534 Mon Sep 17 00:00:00 2001
>From: Jeremy Allison <jra@samba.org>
>Date: Wed, 6 Jan 2021 09:03:05 -0800
>Subject: [PATCH 2/6] libcli/smb: Allow smb2cli_validate_negotiate_info_done()
> to ignore NT_STATUS_INVALID_PARAMETER.
>
>This can be returned from NetApp Ontap 7.3.7 SMB server
>implementations. Now we have ensured smb2_signing_check_pdu()
>cannot return NT_STATUS_INVALID_PARAMETER on a signing error
>it's safe to check this error code here. Windows 10
>clients ignore this error from the NetApp.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607
>
>Signed-off-by: Jeremy Allison <jra@samba.org>
>Reviewed-by: Volker Lendecke <vl@samba.org>
>Reviewed-by: Stefan Metzmacher <metze@samba.org>
>(cherry picked from commit 0abb5ca6b96c843909dea56d5594e334547ae90f)
>---
> libcli/smb/smbXcli_base.c | 25 +++++++++++++++++++++++++
> 1 file changed, 25 insertions(+)
>
>diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
>index 7d2da4b9ebc..4909797543c 100644
>--- a/libcli/smb/smbXcli_base.c
>+++ b/libcli/smb/smbXcli_base.c
>@@ -5420,6 +5420,18 @@ static void smb2cli_validate_negotiate_info_done(struct tevent_req *subreq)
> 				    &state->out_input_buffer,
> 				    &state->out_output_buffer);
> 	TALLOC_FREE(subreq);
>+
>+	/*
>+	 * This response must be signed correctly for
>+	 * these "normal" error codes to be processed.
>+	 * If the packet wasn't signed correctly we will get
>+	 * NT_STATUS_ACCESS_DENIED or NT_STATUS_HMAC_NOT_SUPPORTED,
>+	 * or NT_STATUS_INVALID_NETWORK_RESPONSE
>+	 * from smb2_signing_check_pdu().
>+	 *
>+	 * We must never ignore the above errors here.
>+	 */
>+
> 	if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_CLOSED)) {
> 		/*
> 		 * The response was signed, but not supported
>@@ -5465,6 +5477,19 @@ static void smb2cli_validate_negotiate_info_done(struct tevent_req *subreq)
> 		tevent_req_done(req);
> 		return;
> 	}
>+	if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
>+		/*
>+		 * The response was signed, but not supported
>+		 *
>+		 * This might be returned by NetApp Ontap 7.3.7 SMB server
>+		 * implementations.
>+		 *
>+		 * BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607
>+		 *
>+		 */
>+		tevent_req_done(req);
>+		return;
>+	}
> 	if (tevent_req_nterror(req, status)) {
> 		return;
> 	}
>-- 
>2.27.0
>
>
>From f9352649280539aaad7d4bc1bdbd97c1a923383a Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Thu, 14 Jan 2021 17:27:21 +0100
>Subject: [PATCH 3/6] libcli/smb: split out smb2cli_ioctl_parse_buffer()
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607
>
>Pair-Programmed-With: Volker Lendecke <vl@samba.org>
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>Signed-off-by: Volker Lendecke <vl@samba.org>
>(cherry picked from commit 508ed5b42c23f8b3d9730d838bd921cb73c61358)
>---
> libcli/smb/smb2cli_ioctl.c | 190 +++++++++++++++++++++----------------
> 1 file changed, 110 insertions(+), 80 deletions(-)
>
>diff --git a/libcli/smb/smb2cli_ioctl.c b/libcli/smb/smb2cli_ioctl.c
>index 2b572baeb23..6368bd31bc2 100644
>--- a/libcli/smb/smb2cli_ioctl.c
>+++ b/libcli/smb/smb2cli_ioctl.c
>@@ -160,6 +160,80 @@ struct tevent_req *smb2cli_ioctl_send(TALLOC_CTX *mem_ctx,
> 	return req;
> }
> 
>+static NTSTATUS smb2cli_ioctl_parse_buffer(uint32_t dyn_offset,
>+					   const DATA_BLOB dyn_buffer,
>+					   uint32_t min_offset,
>+					   uint32_t buffer_offset,
>+					   uint32_t buffer_length,
>+					   uint32_t max_length,
>+					   uint32_t *next_offset,
>+					   DATA_BLOB *buffer)
>+{
>+	uint32_t offset;
>+	bool oob;
>+
>+	*buffer = data_blob_null;
>+	*next_offset = dyn_offset;
>+
>+	if (buffer_offset == 0) {
>+		/*
>+		 * If the offset is 0, we better ignore
>+		 * the buffer_length field.
>+		 */
>+		return NT_STATUS_OK;
>+	}
>+
>+	if (buffer_length == 0) {
>+		/*
>+		 * If the length is 0, we better ignore
>+		 * the buffer_offset field.
>+		 */
>+		return NT_STATUS_OK;
>+	}
>+
>+	SMB_ASSERT(min_offset >= dyn_offset);
>+	if (buffer_offset != min_offset) {
>+		return NT_STATUS_INVALID_NETWORK_RESPONSE;
>+	}
>+
>+	/*
>+	 * Make [input|output]_buffer_offset relative to "dyn_buffer"
>+	 */
>+	offset = buffer_offset - dyn_offset;
>+	oob = smb_buffer_oob(dyn_buffer.length, offset, buffer_length);
>+	if (oob) {
>+		return NT_STATUS_INVALID_NETWORK_RESPONSE;
>+	}
>+
>+	/*
>+	 * Give the caller a hint what we consumed,
>+	 * the caller may need to add possible padding.
>+	 */
>+	*next_offset = buffer_offset + buffer_length;
>+
>+	if (max_length == 0) {
>+		/*
>+		 * If max_input_length is 0 we ignore the
>+		 * input_buffer_length, because Windows 2008 echos the
>+		 * DCERPC request from the requested input_buffer to
>+		 * the response input_buffer.
>+		 *
>+		 * We just use the same logic also for max_output_length...
>+		 */
>+		buffer_length = 0;
>+	}
>+
>+	if (buffer_length > max_length) {
>+		return NT_STATUS_INVALID_NETWORK_RESPONSE;
>+	}
>+
>+	*buffer = (DATA_BLOB) {
>+		.data = dyn_buffer.data + offset,
>+		.length = buffer_length,
>+	};
>+	return NT_STATUS_OK;
>+}
>+
> static void smb2cli_ioctl_done(struct tevent_req *subreq)
> {
> 	struct tevent_req *req =
>@@ -169,15 +243,19 @@ static void smb2cli_ioctl_done(struct tevent_req *subreq)
> 		tevent_req_data(req,
> 		struct smb2cli_ioctl_state);
> 	NTSTATUS status;
>+	NTSTATUS error;
> 	struct iovec *iov;
> 	uint8_t *fixed;
>-	uint8_t *dyn;
>-	size_t dyn_len;
>+	DATA_BLOB dyn_buffer = data_blob_null;
> 	uint32_t dyn_ofs = SMB2_HDR_BODY + 0x30;
>+	uint32_t input_min_offset;
> 	uint32_t input_buffer_offset;
> 	uint32_t input_buffer_length;
>+	uint32_t input_next_offset;
>+	uint32_t output_min_offset;
> 	uint32_t output_buffer_offset;
> 	uint32_t output_buffer_length;
>+	uint32_t output_next_offset;
> 	static const struct smb2cli_req_expected_response expected[] = {
> 	{
> 		.status = NT_STATUS_OK,
>@@ -247,92 +325,44 @@ static void smb2cli_ioctl_done(struct tevent_req *subreq)
> 
> 	state->recv_iov = iov;
> 	fixed = (uint8_t *)iov[1].iov_base;
>-	dyn = (uint8_t *)iov[2].iov_base;
>-	dyn_len = iov[2].iov_len;
>+	dyn_buffer = data_blob_const((uint8_t *)iov[2].iov_base,
>+				     iov[2].iov_len);
> 
> 	input_buffer_offset = IVAL(fixed, 0x18);
> 	input_buffer_length = IVAL(fixed, 0x1C);
> 	output_buffer_offset = IVAL(fixed, 0x20);
> 	output_buffer_length = IVAL(fixed, 0x24);
> 
>-	if ((input_buffer_offset > 0) && (input_buffer_length > 0)) {
>-		uint32_t ofs;
>-
>-		if (input_buffer_offset != dyn_ofs) {
>-			tevent_req_nterror(
>-				req, NT_STATUS_INVALID_NETWORK_RESPONSE);
>-			return;
>-		}
>-
>-		ofs = input_buffer_length;
>-		ofs = NDR_ROUND(ofs, 8);
>-
>-		if (state->max_input_length == 0) {
>-			/*
>-			 * If max_input_length is 0 we ignore
>-			 * the input_buffer_length, because
>-			 * Windows 2008 echos the DCERPC request
>-			 * from the requested input_buffer
>-			 * to the response input_buffer.
>-			 */
>-			input_buffer_length = 0;
>-		}
>-
>-		if (input_buffer_length > dyn_len) {
>-			tevent_req_nterror(
>-				req, NT_STATUS_INVALID_NETWORK_RESPONSE);
>-			return;
>-		}
>-
>-		if (input_buffer_length > state->max_input_length) {
>-			tevent_req_nterror(
>-				req, NT_STATUS_INVALID_NETWORK_RESPONSE);
>-			return;
>-		}
>-
>-		state->out_input_buffer.data = dyn;
>-		state->out_input_buffer.length = input_buffer_length;
>-
>-		if (ofs > dyn_len) {
>-			tevent_req_nterror(
>-				req, NT_STATUS_INVALID_NETWORK_RESPONSE);
>-			return;
>-		}
>-
>-		dyn_ofs += ofs;
>-		dyn += ofs;
>-		dyn_len -= ofs;
>+	input_min_offset = dyn_ofs;
>+	input_next_offset = dyn_ofs;
>+	error = smb2cli_ioctl_parse_buffer(dyn_ofs,
>+					   dyn_buffer,
>+					   input_min_offset,
>+					   input_buffer_offset,
>+					   input_buffer_length,
>+					   state->max_input_length,
>+					   &input_next_offset,
>+					   &state->out_input_buffer);
>+	if (tevent_req_nterror(req, error)) {
>+		return;
> 	}
> 
>-	if ((output_buffer_offset > 0) && (output_buffer_length > 0)) {
>-		if (output_buffer_offset != dyn_ofs) {
>-			tevent_req_nterror(
>-				req, NT_STATUS_INVALID_NETWORK_RESPONSE);
>-			return;
>-		}
>-
>-		if (state->max_output_length == 0) {
>-			/*
>-			 * We do the same logic as for
>-			 * max_input_length.
>-			 */
>-			output_buffer_length = 0;
>-		}
>-
>-		if (output_buffer_length > dyn_len) {
>-			tevent_req_nterror(
>-				req, NT_STATUS_INVALID_NETWORK_RESPONSE);
>-			return;
>-		}
>-
>-		if (output_buffer_length > state->max_output_length) {
>-			tevent_req_nterror(
>-				req, NT_STATUS_INVALID_NETWORK_RESPONSE);
>-			return;
>-		}
>-
>-		state->out_output_buffer.data = dyn;
>-		state->out_output_buffer.length = output_buffer_length;
>+	/*
>+	 * If output data is returned, the output offset MUST be set to
>+	 * InputOffset + InputCount rounded up to a multiple of 8.
>+	 */
>+	output_min_offset = NDR_ROUND(input_next_offset, 8);
>+	output_next_offset = 0; /* this variable is completely ignored */
>+	error = smb2cli_ioctl_parse_buffer(dyn_ofs,
>+					   dyn_buffer,
>+					   output_min_offset,
>+					   output_buffer_offset,
>+					   output_buffer_length,
>+					   state->max_output_length,
>+					   &output_next_offset,
>+					   &state->out_output_buffer);
>+	if (tevent_req_nterror(req, error)) {
>+		return;
> 	}
> 
> 	state->out_valid = true;
>-- 
>2.27.0
>
>
>From 2bac28d4841b02f4253afed43c0f1392957cd869 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Thu, 14 Jan 2021 17:39:18 +0100
>Subject: [PATCH 4/6] s4:torture/smb2: add samba3.smb2.ioctl.bug14607
>
>FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8 will be used
>to trigger an SMB2 IOCTL response with extra padding.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>Reviewed-by: Volker Lendecke <vl@samba.org>
>(cherry picked from commit 3db566026bcc0bff87acae762211e1c49220dc82)
>---
> libcli/smb/smb_constants.h   |  2 ++
> source4/torture/smb2/ioctl.c | 53 ++++++++++++++++++++++++++++++++++++
> 2 files changed, 55 insertions(+)
>
>diff --git a/libcli/smb/smb_constants.h b/libcli/smb/smb_constants.h
>index b424b13cde4..d2345f094e1 100644
>--- a/libcli/smb/smb_constants.h
>+++ b/libcli/smb/smb_constants.h
>@@ -589,6 +589,8 @@ enum csc_policy {
> #define FSCTL_SMBTORTURE	0x83840000
> #define FSCTL_SMBTORTURE_FORCE_UNACKED_TIMEOUT \
> 	(FSCTL_SMBTORTURE | FSCTL_ACCESS_WRITE | 0x0000 | FSCTL_METHOD_NEITHER)
>+#define FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8 \
>+	(FSCTL_SMBTORTURE | FSCTL_ACCESS_WRITE | 0x0010 | FSCTL_METHOD_NEITHER)
> 
> /*
>  * A few values from [MS-FSCC] 2.1.2.1 Reparse Tags
>diff --git a/source4/torture/smb2/ioctl.c b/source4/torture/smb2/ioctl.c
>index eed81d1f598..1de5179e336 100644
>--- a/source4/torture/smb2/ioctl.c
>+++ b/source4/torture/smb2/ioctl.c
>@@ -6794,6 +6794,57 @@ static bool test_ioctl_dup_extents_dest_lck(struct torture_context *tctx,
> 	return true;
> }
> 
>+/*
>+   basic regression test for BUG 14607
>+   https://bugzilla.samba.org/show_bug.cgi?id=14607
>+*/
>+static bool test_ioctl_bug14607(struct torture_context *torture,
>+				struct smb2_tree *tree)
>+{
>+	TALLOC_CTX *tmp_ctx = talloc_new(tree);
>+	uint32_t timeout_msec;
>+	NTSTATUS status;
>+	DATA_BLOB out_input_buffer = data_blob_null;
>+	DATA_BLOB out_output_buffer = data_blob_null;
>+
>+	timeout_msec = tree->session->transport->options.request_timeout * 1000;
>+
>+	status = smb2cli_ioctl(tree->session->transport->conn,
>+			       timeout_msec,
>+			       tree->session->smbXcli,
>+			       tree->smbXcli,
>+			       UINT64_MAX, /* in_fid_persistent */
>+			       UINT64_MAX, /* in_fid_volatile */
>+			       FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8,
>+			       0, /* in_max_input_length */
>+			       NULL, /* in_input_buffer */
>+			       1, /* in_max_output_length */
>+			       NULL, /* in_output_buffer */
>+			       SMB2_IOCTL_FLAG_IS_FSCTL,
>+			       tmp_ctx,
>+			       &out_input_buffer,
>+			       &out_output_buffer);
>+	if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED) ||
>+	    NT_STATUS_EQUAL(status, NT_STATUS_FILE_CLOSED) ||
>+	    NT_STATUS_EQUAL(status, NT_STATUS_FS_DRIVER_REQUIRED) ||
>+	    NT_STATUS_EQUAL(status, NT_STATUS_INVALID_DEVICE_REQUEST))
>+	{
>+		torture_comment(torture,
>+				"FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8: %s\n",
>+				nt_errstr(status));
>+		torture_skip(torture, "server doesn't support FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8\n");
>+	}
>+	torture_assert_ntstatus_ok(torture, status, "FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8");
>+
>+	torture_assert_int_equal(torture, out_output_buffer.length, 1,
>+				 "output length");
>+	torture_assert_int_equal(torture, out_output_buffer.data[0], 8,
>+				 "output buffer byte should be 8");
>+
>+	talloc_free(tmp_ctx);
>+	return true;
>+}
>+
> /*
>  * testing of SMB2 ioctls
>  */
>@@ -6939,6 +6990,8 @@ struct torture_suite *torture_smb2_ioctl_init(TALLOC_CTX *ctx)
> 				     test_ioctl_dup_extents_src_lck);
> 	torture_suite_add_1smb2_test(suite, "dup_extents_dest_lock",
> 				     test_ioctl_dup_extents_dest_lck);
>+	torture_suite_add_1smb2_test(suite, "bug14607",
>+				     test_ioctl_bug14607);
> 
> 	suite->description = talloc_strdup(suite, "SMB2-IOCTL tests");
> 
>-- 
>2.27.0
>
>
>From dadf9b9530e593590c22ad6a11ecf7bbb7b0d5d9 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Thu, 14 Jan 2021 17:39:01 +0100
>Subject: [PATCH 5/6] smbd: implement
> FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8 as reproducer for bug 14607
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>Reviewed-by: Volker Lendecke <vl@samba.org>
>(cherry picked from commit 39c0d2b666a6ddac7cd3b29fe76be7375690b27b)
>---
> .../knownfail.d/samba3.smb2.ioctl.bug14607    |  1 +
> source3/smbd/smb2_ioctl.c                     | 41 +++++++++++++++++--
> source3/smbd/smb2_ioctl_private.h             |  1 +
> 3 files changed, 40 insertions(+), 3 deletions(-)
> create mode 100644 selftest/knownfail.d/samba3.smb2.ioctl.bug14607
>
>diff --git a/selftest/knownfail.d/samba3.smb2.ioctl.bug14607 b/selftest/knownfail.d/samba3.smb2.ioctl.bug14607
>new file mode 100644
>index 00000000000..c535a8a2723
>--- /dev/null
>+++ b/selftest/knownfail.d/samba3.smb2.ioctl.bug14607
>@@ -0,0 +1 @@
>+^samba3.smb2.ioctl.*bug14607.nt4_dc
>diff --git a/source3/smbd/smb2_ioctl.c b/source3/smbd/smb2_ioctl.c
>index 01ae6d64ac5..8b65a691638 100644
>--- a/source3/smbd/smb2_ioctl.c
>+++ b/source3/smbd/smb2_ioctl.c
>@@ -41,6 +41,7 @@ static struct tevent_req *smbd_smb2_ioctl_send(TALLOC_CTX *mem_ctx,
> static NTSTATUS smbd_smb2_ioctl_recv(struct tevent_req *req,
> 				     TALLOC_CTX *mem_ctx,
> 				     DATA_BLOB *out_output,
>+				     uint8_t *body_padding,
> 				     bool *disconnect);
> 
> static void smbd_smb2_request_ioctl_done(struct tevent_req *subreq);
>@@ -195,6 +196,7 @@ NTSTATUS smbd_smb2_request_process_ioctl(struct smbd_smb2_request *req)
> 	case FSCTL_VALIDATE_NEGOTIATE_INFO:
> 	case FSCTL_QUERY_NETWORK_INTERFACE_INFO:
> 	case FSCTL_SMBTORTURE_FORCE_UNACKED_TIMEOUT:
>+	case FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8:
> 		/*
> 		 * Some SMB2 specific CtlCodes like FSCTL_DFS_GET_REFERRALS or
> 		 * FSCTL_PIPE_WAIT does not take a file handle.
>@@ -284,9 +286,12 @@ static void smbd_smb2_request_ioctl_done(struct tevent_req *subreq)
> 	NTSTATUS status;
> 	NTSTATUS error; /* transport error */
> 	bool disconnect = false;
>+	uint16_t body_size;
>+	uint8_t body_padding = 0;
> 
> 	status = smbd_smb2_ioctl_recv(subreq, req,
> 				      &out_output_buffer,
>+				      &body_padding,
> 				      &disconnect);
> 
> 	DEBUG(10,("smbd_smb2_request_ioctl_done: smbd_smb2_ioctl_recv returned "
>@@ -319,10 +324,15 @@ static void smbd_smb2_request_ioctl_done(struct tevent_req *subreq)
> 		return;
> 	}
> 
>-	out_input_offset = SMB2_HDR_BODY + 0x30;
>-	out_output_offset = SMB2_HDR_BODY + 0x30;
>+	/*
>+	 * Only FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8
>+	 * sets body_padding to a value different from 0.
>+	 */
>+	body_size = 0x30 + body_padding;
>+	out_input_offset = SMB2_HDR_BODY + body_size;
>+	out_output_offset = SMB2_HDR_BODY + body_size;
> 
>-	outbody = smbd_smb2_generate_outbody(req, 0x30);
>+	outbody = smbd_smb2_generate_outbody(req, body_size);
> 	if (outbody.data == NULL) {
> 		error = smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
> 		if (!NT_STATUS_IS_OK(error)) {
>@@ -350,6 +360,9 @@ static void smbd_smb2_request_ioctl_done(struct tevent_req *subreq)
> 	      out_output_buffer.length);	/* output count */
> 	SIVAL(outbody.data, 0x28, 0);		/* flags */
> 	SIVAL(outbody.data, 0x2C, 0);		/* reserved */
>+	if (body_padding != 0) {
>+		memset(outbody.data + 0x30, 0, body_padding);
>+	}
> 
> 	/*
> 	 * Note: Windows Vista and 2008 send back also the
>@@ -391,6 +404,26 @@ static struct tevent_req *smb2_ioctl_smbtorture(uint32_t ctl_code,
> 		tevent_req_done(req);
> 		return tevent_req_post(req, ev);
> 
>+	case FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8:
>+		if (state->in_input.length != 0) {
>+			tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
>+			return tevent_req_post(req, ev);
>+		}
>+
>+		if (state->in_max_output > 0) {
>+			uint32_t size = state->in_max_output;
>+
>+			state->out_output = data_blob_talloc(state, NULL, size);
>+			if (tevent_req_nomem(state->out_output.data, req)) {
>+				return tevent_req_post(req, ev);
>+			}
>+			memset(state->out_output.data, 8, size);
>+		}
>+
>+		state->body_padding = 8;
>+		tevent_req_done(req);
>+		return tevent_req_post(req, ev);
>+
> 	default:
> 		goto not_supported;
> 	}
>@@ -476,6 +509,7 @@ static struct tevent_req *smbd_smb2_ioctl_send(TALLOC_CTX *mem_ctx,
> static NTSTATUS smbd_smb2_ioctl_recv(struct tevent_req *req,
> 				     TALLOC_CTX *mem_ctx,
> 				     DATA_BLOB *out_output,
>+				     uint8_t *body_padding,
> 				     bool *disconnect)
> {
> 	NTSTATUS status = NT_STATUS_OK;
>@@ -484,6 +518,7 @@ static NTSTATUS smbd_smb2_ioctl_recv(struct tevent_req *req,
> 	enum tevent_req_state req_state;
> 	uint64_t err;
> 
>+	*body_padding = state->body_padding;
> 	*disconnect = state->disconnect;
> 
> 	if ((tevent_req_is_error(req, &req_state, &err) == false)
>diff --git a/source3/smbd/smb2_ioctl_private.h b/source3/smbd/smb2_ioctl_private.h
>index ae07fed8606..7a35f8f5d0b 100644
>--- a/source3/smbd/smb2_ioctl_private.h
>+++ b/source3/smbd/smb2_ioctl_private.h
>@@ -28,6 +28,7 @@ struct smbd_smb2_ioctl_state {
> 	DATA_BLOB in_input;
> 	uint32_t in_max_output;
> 	DATA_BLOB out_output;
>+	uint8_t body_padding;
> 	bool disconnect;
> };
> 
>-- 
>2.27.0
>
>
>From ac4f2bb2a109399e1a247755bc78efc1e925998b Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Thu, 14 Jan 2021 17:32:15 +0100
>Subject: [PATCH 6/6] libcli/smb: allow unexpected padding in SMB2 IOCTL
> responses
>
>A NetApp Ontap 7.3.7 SMB server add 8 padding bytes to an
>offset that's already 8 byte aligned.
>
>RN: Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607
>
>Pair-Programmed-With: Volker Lendecke <vl@samba.org>
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>Signed-off-by: Volker Lendecke <vl@samba.org>
>
>Autobuild-User(master): Volker Lendecke <vl@samba.org>
>Autobuild-Date(master): Fri Jan 15 08:36:34 UTC 2021 on sn-devel-184
>
>(cherry picked from commit 4c6c71e1378401d66bf2ed230544a75f7b04376f)
>---
> libcli/smb/smb2cli_ioctl.c                    | 19 ++++++++++++++++++-
> .../knownfail.d/samba3.smb2.ioctl.bug14607    |  1 -
> 2 files changed, 18 insertions(+), 2 deletions(-)
> delete mode 100644 selftest/knownfail.d/samba3.smb2.ioctl.bug14607
>
>diff --git a/libcli/smb/smb2cli_ioctl.c b/libcli/smb/smb2cli_ioctl.c
>index 6368bd31bc2..f9abcc57bab 100644
>--- a/libcli/smb/smb2cli_ioctl.c
>+++ b/libcli/smb/smb2cli_ioctl.c
>@@ -191,8 +191,25 @@ static NTSTATUS smb2cli_ioctl_parse_buffer(uint32_t dyn_offset,
> 		return NT_STATUS_OK;
> 	}
> 
>+	if ((buffer_offset % 8) != 0) {
>+		/*
>+		 * The offset needs to be 8 byte aligned.
>+		 */
>+		return NT_STATUS_INVALID_NETWORK_RESPONSE;
>+	}
>+
>+	/*
>+	 * We used to enforce buffer_offset to be
>+	 * an exact match of the expected minimum,
>+	 * but the NetApp Ontap 7.3.7 SMB server
>+	 * gets the padding wrong and aligns the
>+	 * input_buffer_offset by a value of 8.
>+	 *
>+	 * So we just enforce that the offset is
>+	 * not lower than the expected value.
>+	 */
> 	SMB_ASSERT(min_offset >= dyn_offset);
>-	if (buffer_offset != min_offset) {
>+	if (buffer_offset < min_offset) {
> 		return NT_STATUS_INVALID_NETWORK_RESPONSE;
> 	}
> 
>diff --git a/selftest/knownfail.d/samba3.smb2.ioctl.bug14607 b/selftest/knownfail.d/samba3.smb2.ioctl.bug14607
>deleted file mode 100644
>index c535a8a2723..00000000000
>--- a/selftest/knownfail.d/samba3.smb2.ioctl.bug14607
>+++ /dev/null
>@@ -1 +0,0 @@
>-^samba3.smb2.ioctl.*bug14607.nt4_dc
>-- 
>2.27.0
>

Flags:

metze: review+

Actions: View

Attachments on bug 14607: 16374 | 16376 | 16377 | 16398 | 16399 | 16683 | 16684 | 16685 | 16686