The Samba-Bugzilla – Attachment 18420 Details for
Bug 15699
incorrect FSCTL_QUERY_ALLOCATED_RANGES response when truncated
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
cherry-picked fix for 4.20-test
smb2_ioctl-fix-truncated-FSCTL_QUERY_ALLOCATED_RANGE_420t.patch (text/plain), 5.77 KB, created by
David Disseldorp
on 2024-08-29 00:20:50 UTC
(
hide
)
Description:
cherry-picked fix for 4.20-test
Filename:
MIME Type:
Creator:
David Disseldorp
Created:
2024-08-29 00:20:50 UTC
Size:
5.77 KB
patch
obsolete
>From a5e7b56de4428e6d286bd5f4cd00777fd8be4212 Mon Sep 17 00:00:00 2001 >From: David Disseldorp <ddiss@samba.org> >Date: Fri, 23 Aug 2024 12:55:58 +0000 >Subject: [PATCH] smb2_ioctl: fix truncated FSCTL_QUERY_ALLOCATED_RANGES > responses > >As per MS-FSA 2.1.5.10.22 FSCTL_QUERY_ALLOCATED_RANGES, if response >range entries exceed in_max_output, then we should respond with >STATUS_BUFFER_OVERFLOW and a truncated output buffer. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=15699 > >Reported-by: David Howells <dhowells@redhat.com> >Signed-off-by: David Disseldorp <ddiss@samba.org> >Reviewed-by: Noel Power <npower@samba.org> > >Autobuild-User(master): David Disseldorp <ddiss@samba.org> >Autobuild-Date(master): Wed Aug 28 08:54:11 UTC 2024 on atb-devel-224 > >(cherry picked from commit 5e278a52646a48e3671270e5b57ec5b852f9fb4b) >--- > source3/smbd/smb2_ioctl.c | 4 ++- > source3/smbd/smb2_ioctl_filesys.c | 54 +++++++++++++++++++------------ > source4/libcli/smb2/ioctl.c | 3 +- > 3 files changed, 38 insertions(+), 23 deletions(-) > >diff --git a/source3/smbd/smb2_ioctl.c b/source3/smbd/smb2_ioctl.c >index 7d0f11df1ad..e31627126f4 100644 >--- a/source3/smbd/smb2_ioctl.c >+++ b/source3/smbd/smb2_ioctl.c >@@ -268,7 +268,8 @@ static bool smbd_smb2_ioctl_is_failure(uint32_t ctl_code, NTSTATUS status, > if (NT_STATUS_EQUAL(status, STATUS_BUFFER_OVERFLOW) > && ((ctl_code == FSCTL_PIPE_TRANSCEIVE) > || (ctl_code == FSCTL_PIPE_PEEK) >- || (ctl_code == FSCTL_DFS_GET_REFERRALS))) { >+ || (ctl_code == FSCTL_DFS_GET_REFERRALS) >+ || (ctl_code == FSCTL_QUERY_ALLOCATED_RANGES))) { > return false; > } > >@@ -344,6 +345,7 @@ static void smbd_smb2_request_ioctl_done(struct tevent_req *subreq) > * in: > * - fsctl_dfs_get_refers() > * - smbd_smb2_ioctl_pipe_read_done() >+ * - fsctl_qar() > */ > status = NT_STATUS_BUFFER_TOO_SMALL; > } >diff --git a/source3/smbd/smb2_ioctl_filesys.c b/source3/smbd/smb2_ioctl_filesys.c >index 6cc53d4828e..1a8d1c2affa 100644 >--- a/source3/smbd/smb2_ioctl_filesys.c >+++ b/source3/smbd/smb2_ioctl_filesys.c >@@ -3,7 +3,7 @@ > Core SMB2 server > > Copyright (C) Stefan Metzmacher 2009 >- Copyright (C) David Disseldorp 2013-2015 >+ Copyright (C) David Disseldorp 2013-2024 > > This program is free software; you can redistribute it and/or modify > it under the terms of the GNU General Public License as published by >@@ -538,6 +538,7 @@ static NTSTATUS fsctl_qar_seek_fill(TALLOC_CTX *mem_ctx, > struct files_struct *fsp, > off_t curr_off, > off_t max_off, >+ size_t in_max_output, > DATA_BLOB *qar_array_blob) > { > NTSTATUS status = NT_STATUS_NOT_SUPPORTED; >@@ -578,6 +579,17 @@ static NTSTATUS fsctl_qar_seek_fill(TALLOC_CTX *mem_ctx, > return NT_STATUS_INTERNAL_ERROR; > } > >+ if (qar_array_blob->length + sizeof(qar_buf) > in_max_output) { >+ /* >+ * Earlier check ensures space for one range or more. >+ * Subsequent overflow results in a truncated response. >+ */ >+ DBG_NOTICE("truncated QAR output: need > %zu, max %zu\n", >+ qar_array_blob->length + sizeof(qar_buf), >+ in_max_output); >+ return STATUS_BUFFER_OVERFLOW; >+ } >+ > qar_buf.file_off = data_off; > /* + 1 to convert maximum offset to length */ > qar_buf.len = MIN(hole_off, max_off + 1) - data_off; >@@ -652,6 +664,13 @@ static NTSTATUS fsctl_qar(TALLOC_CTX *mem_ctx, > return NT_STATUS_INVALID_PARAMETER; > } > >+ /* must have enough space for at least one range */ >+ if (in_max_output < sizeof(struct file_alloced_range_buf)) { >+ DEBUG(2, ("QAR max %lu insufficient for one range\n", >+ (unsigned long)in_max_output)); >+ return NT_STATUS_BUFFER_TOO_SMALL; >+ } >+ > /* > * Maximum offset is either the last valid offset _before_ EOF, or the > * last byte offset within the requested range. -1 converts length to >@@ -687,31 +706,24 @@ static NTSTATUS fsctl_qar(TALLOC_CTX *mem_ctx, > status = fsctl_qar_buf_push(mem_ctx, &qar_buf, &qar_array_blob); > } else { > status = fsctl_qar_seek_fill(mem_ctx, fsp, qar_req.buf.file_off, >- max_off, &qar_array_blob); >- } >- if (!NT_STATUS_IS_OK(status)) { >- return status; >+ max_off, in_max_output, >+ &qar_array_blob); > } > >- /* marshall response buffer. */ >- qar_rsp.far_buf_array = qar_array_blob; >+ if (NT_STATUS_IS_OK(status) >+ || NT_STATUS_EQUAL(status, STATUS_BUFFER_OVERFLOW)) { >+ /* marshall response. STATUS_BUFFER_OVERFLOW=truncated */ >+ qar_rsp.far_buf_array = qar_array_blob; > >- ndr_ret = ndr_push_struct_blob(out_output, mem_ctx, &qar_rsp, >- (ndr_push_flags_fn_t)ndr_push_fsctl_query_alloced_ranges_rsp); >- if (ndr_ret != NDR_ERR_SUCCESS) { >- DEBUG(0, ("failed to marshall QAR rsp\n")); >- return NT_STATUS_INVALID_PARAMETER; >- } >- >- if (out_output->length > in_max_output) { >- DEBUG(2, ("QAR output len %lu exceeds max %lu\n", >- (unsigned long)out_output->length, >- (unsigned long)in_max_output)); >- data_blob_free(out_output); >- return NT_STATUS_BUFFER_TOO_SMALL; >+ ndr_ret = ndr_push_struct_blob(out_output, mem_ctx, &qar_rsp, >+ (ndr_push_flags_fn_t)ndr_push_fsctl_query_alloced_ranges_rsp); >+ if (ndr_ret != NDR_ERR_SUCCESS) { >+ DEBUG(0, ("failed to marshall QAR rsp\n")); >+ return NT_STATUS_INVALID_PARAMETER; >+ } > } > >- return NT_STATUS_OK; >+ return status; > } > > static void smb2_ioctl_filesys_dup_extents_done(struct tevent_req *subreq); >diff --git a/source4/libcli/smb2/ioctl.c b/source4/libcli/smb2/ioctl.c >index fe74dfecd8e..94962691810 100644 >--- a/source4/libcli/smb2/ioctl.c >+++ b/source4/libcli/smb2/ioctl.c >@@ -86,7 +86,8 @@ static bool smb2_ioctl_is_failure(uint32_t ctl_code, NTSTATUS status, > if (NT_STATUS_EQUAL(status, STATUS_BUFFER_OVERFLOW) > && ((ctl_code == FSCTL_PIPE_TRANSCEIVE) > || (ctl_code == FSCTL_PIPE_PEEK) >- || (ctl_code == FSCTL_DFS_GET_REFERRALS))) { >+ || (ctl_code == FSCTL_DFS_GET_REFERRALS) >+ || (ctl_code == FSCTL_QUERY_ALLOCATED_RANGES))) { > return false; > } > >-- >2.43.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=18420">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
npower
:
review-
Actions:
View
Attachments on
bug 15699
:
18419
|
18420
|
18421
|
18423
|
18424