From 9bc34b3d528aae7994a0b2d3bd016b1ff933aee0 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 21 Mar 2023 10:31:36 -0700
Subject: [PATCH 1/2] tests: Add samba3.blackbox.zero_readsize test.

smbclient crashes when smbd has "smb2 max read = 0"
in the [global] section of smb.conf.

We should fail the protocol negotiation with
NT_STATUS_INVALID_NETWORK_RESPONSE in this case.

Adds knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15306

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(Back-ported from commit 006fe806782c42e860ed2cf2bc9f6b1b82c3a307)
---
 selftest/knownfail.d/smb2_zero_readsize    |   1 +
 source3/script/tests/test_zero_readsize.sh | 101 +++++++++++++++++++++
 2 files changed, 102 insertions(+)
 create mode 100644 selftest/knownfail.d/smb2_zero_readsize
 create mode 100755 source3/script/tests/test_zero_readsize.sh

diff --git a/selftest/knownfail.d/smb2_zero_readsize b/selftest/knownfail.d/smb2_zero_readsize
new file mode 100644
index 00000000000..c7ec92cd629
--- /dev/null
+++ b/selftest/knownfail.d/smb2_zero_readsize
@@ -0,0 +1 @@
+^samba3.blackbox.zero_readsize.smb2_zero_readsize\(simpleserver:local\)
diff --git a/source3/script/tests/test_zero_readsize.sh b/source3/script/tests/test_zero_readsize.sh
new file mode 100755
index 00000000000..f859599ba89
--- /dev/null
+++ b/source3/script/tests/test_zero_readsize.sh
@@ -0,0 +1,101 @@
+#!/usr/bin/env bash
+#
+# Test setting smb2 max read = 0.
+#
+# BUG: https://bugzilla.samba.org/show_bug.cgi?id=15306
+#
+
+if [ $# -lt 6 ]; then
+	cat <<EOF
+Usage: $0 SERVERCONFFILE SMBCLIENT SMBCONTROL SERVER SHARE PREFIX
+EOF
+        exit 1
+fi
+
+CONF=${1}
+shift 1
+SMBCLIENT=${1}
+shift 1
+SMBCONTROL=${1}
+shift 1
+SERVER=${1}
+shift 1
+SHARE=${1}
+shift 1
+PREFIX=${1}
+shift 1
+
+SMBCLIENT="$VALGRIND ${SMBCLIENT}"
+ADDARGS="$@"
+
+incdir=$(dirname "$0")/../../../testprogs/blackbox
+. "$incdir"/subunit.sh
+
+failed=0
+
+#
+# Setup function
+#
+do_setup()
+{
+	rm -f "${PREFIX}/zero_read_testfile"
+	rm -f "${PREFIX}/zero_read_testfile_get"
+	dd if=/dev/zero of="${PREFIX}/zero_read_testfile" bs=1024 count=1
+	global_inject_conf="$(dirname "${SERVERCONFFILE}")/global_inject.conf"
+	echo "smb2 max read = 0" >"$global_inject_conf"
+	${SMBCONTROL} ${CONF} smbd reload-config
+}
+
+do_cleanup()
+{
+	rm -f "${PREFIX}/zero_read_testfile"
+	rm -f "${PREFIX}/zero_read_testfile_get"
+	global_inject_conf="$(dirname "${SERVERCONFFILE}")/global_inject.conf"
+	rm "$global_inject_conf"
+	${SMBCONTROL} ${CONF} smbd reload-config
+}
+
+test_smb2_zero_readsize()
+{
+	local tmpfile="$PREFIX/smbclient.in.$$"
+
+	cat >"$tmpfile" <<EOF
+lcd $PREFIX
+put zero_read_testfile zero_read_testfile_put
+get zero_read_testfile_put zero_read_testfile_get
+del zero_read_testfile_put
+quit
+EOF
+
+	local cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT //$SERVER/$SHARE -U$USERNAME%$PASSWORD $ADDARGS < $tmpfile 2>&1'
+	eval echo "$cmd"
+	out=$(eval "$cmd")
+	ret=$?
+
+	# Check for smbclient error.
+	# We should have failed the protocol negotiation, returning 1.
+	if [ $ret != 1 ]; then
+                echo "smbclient protocol negotiation succeeded (should have failed) zero read testfile $ret"
+                echo "$out"
+                return 1
+        fi
+
+	# We should get NT_STATUS_INVALID_NETWORK_RESPONSE
+	echo "$out" | grep NT_STATUS_INVALID_NETWORK_RESPONSE
+	ret=$?
+	if [ $ret -ne 0 ]; then
+                echo "Should get NT_STATUS_INVALID_NETWORK_RESPONSE"
+                echo "$out"
+                return 1
+        fi
+	rm "$tmpfile"
+	return 0
+}
+
+do_setup
+
+testit "smb2_zero_readsize" test_smb2_zero_readsize || failed=$((failed + 1))
+
+do_cleanup
+
+testok "$0" "$failed"
-- 
2.34.1


From fa5f0ec1ceffe04c4bebbde3ec7c728e03bffeb1 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 21 Mar 2023 10:34:46 -0700
Subject: [PATCH 2/2] s3: libcli: Refuse to connect to any server with zero
 values for max_trans_size, max_read_size, max_write_size.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

There's nothing we can do to such a server (this
now matches the behavior for SMB1).

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15306

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Mar 29 18:58:33 UTC 2023 on atb-devel-224

(cherry picked from commit 76573d6d8f168d6e6107af26a434b8c71aaf93af)
---
 libcli/smb/smbXcli_base.c               | 11 +++++++++++
 selftest/knownfail.d/smb2_zero_readsize |  1 -
 2 files changed, 11 insertions(+), 1 deletion(-)
 delete mode 100644 selftest/knownfail.d/smb2_zero_readsize

diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index c5d13bd5837..1500d484e83 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -5088,6 +5088,17 @@ static void smbXcli_negprot_smb2_done(struct tevent_req *subreq)
 	conn->smb2.server.system_time	= BVAL(body, 40);
 	conn->smb2.server.start_time	= BVAL(body, 48);
 
+	if (conn->smb2.server.max_trans_size == 0 ||
+	    conn->smb2.server.max_read_size == 0 ||
+	    conn->smb2.server.max_write_size == 0) {
+		/*
+		 * We can't connect to servers we can't
+		 * do any operations on.
+		 */
+		tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+		return;
+	}
+
 	security_offset = SVAL(body, 56);
 	security_length = SVAL(body, 58);
 
diff --git a/selftest/knownfail.d/smb2_zero_readsize b/selftest/knownfail.d/smb2_zero_readsize
deleted file mode 100644
index c7ec92cd629..00000000000
--- a/selftest/knownfail.d/smb2_zero_readsize
+++ /dev/null
@@ -1 +0,0 @@
-^samba3.blackbox.zero_readsize.smb2_zero_readsize\(simpleserver:local\)
-- 
2.34.1