The Samba-Bugzilla – Attachment 6986 Details for
Bug 8520
Fix SMB2 SMB2_OP_GETINFO and SMB2_OP_IOCTL parsing requirements.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am patchset for 3.6.1
look (text/plain), 42.43 KB, created by
Jeremy Allison
on 2011-10-11 20:07:43 UTC
(
hide
)
Description:
git-am patchset for 3.6.1
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2011-10-11 20:07:43 UTC
Size:
42.43 KB
patch
obsolete
>From 4cb2249338f03c2b1b3662f1c6b528a3cd3f78c1 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 3 Oct 2011 14:50:48 -0700 >Subject: [PATCH 01/23] s3:smb2_server: add smbd_smb2_request_verify_sizes() > >metze. >--- > source3/smbd/globals.h | 3 +++ > source3/smbd/smb2_server.c | 42 ++++++++++++++++++++++++++++++++++++++++++ > 2 files changed, 45 insertions(+), 0 deletions(-) > >diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h >index abeaed4..7033848 100644 >--- a/source3/smbd/globals.h >+++ b/source3/smbd/globals.h >@@ -278,6 +278,9 @@ NTSTATUS smbd_smb2_request_check_tcon(struct smbd_smb2_request *req); > struct smb_request *smbd_smb2_fake_smb_request(struct smbd_smb2_request *req); > void remove_smb2_chained_fsp(files_struct *fsp); > >+NTSTATUS smbd_smb2_request_verify_sizes(struct smbd_smb2_request *req, >+ size_t expected_body_size); >+ > NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req); > NTSTATUS smbd_smb2_request_process_sesssetup(struct smbd_smb2_request *req); > NTSTATUS smbd_smb2_request_process_logoff(struct smbd_smb2_request *req); >diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c >index cad4ca6..811e6d3 100644 >--- a/source3/smbd/smb2_server.c >+++ b/source3/smbd/smb2_server.c >@@ -1125,6 +1125,48 @@ static NTSTATUS smbd_smb2_request_process_cancel(struct smbd_smb2_request *req) > return NT_STATUS_OK; > } > >+NTSTATUS smbd_smb2_request_verify_sizes(struct smbd_smb2_request *req, >+ size_t expected_body_size) >+{ >+ const uint8_t *inbody; >+ int i = req->current_idx; >+ size_t body_size; >+ >+ /* >+ * The following should be checked already. >+ */ >+ if ((i+2) > req->in.vector_count) { >+ return NT_STATUS_INTERNAL_ERROR; >+ } >+ if (req->in.vector[i+0].iov_len != SMB2_HDR_BODY) { >+ return NT_STATUS_INTERNAL_ERROR; >+ } >+ if (req->in.vector[i+1].iov_len < 2) { >+ return NT_STATUS_INTERNAL_ERROR; >+ } >+ >+ /* >+ * Now check the expected body size, >+ * where the last byte might be in the >+ * dynnamic section.. >+ */ >+ if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { >+ return NT_STATUS_INVALID_PARAMETER; >+ } >+ if (req->in.vector[i+2].iov_len < (expected_body_size & 0x00000001)) { >+ return NT_STATUS_INVALID_PARAMETER; >+ } >+ >+ inbody = (const uint8_t *)req->in.vector[i+1].iov_base; >+ >+ body_size = SVAL(inbody, 0x00); >+ if (body_size != expected_body_size) { >+ return NT_STATUS_INVALID_PARAMETER; >+ } >+ >+ return NT_STATUS_OK; >+} >+ > NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req) > { > const uint8_t *inhdr; >-- >1.7.3.1 > > >From abda6091c2aa039de8437bc4d88f3f27d45498b7 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 6 Sep 2011 14:01:43 +0200 >Subject: [PATCH 02/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_negprot.c > >metze >(cherry picked from commit 7ec3a35d2a67ca93a49094f07a12b0e37cec1661) >--- > source3/smbd/smb2_negprot.c | 14 ++++---------- > 1 files changed, 4 insertions(+), 10 deletions(-) > >diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c >index f639503..9245d6d 100644 >--- a/source3/smbd/smb2_negprot.c >+++ b/source3/smbd/smb2_negprot.c >@@ -61,6 +61,7 @@ void reply_smb2002(struct smb_request *req, uint16_t choice) > > NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) > { >+ NTSTATUS status; > const uint8_t *inbody; > const uint8_t *indyn = NULL; > int i = req->current_idx; >@@ -69,8 +70,6 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) > DATA_BLOB negprot_spnego_blob; > uint16_t security_offset; > DATA_BLOB security_buffer; >- size_t expected_body_size = 0x24; >- size_t body_size; > size_t expected_dyn_size = 0; > size_t c; > uint16_t security_mode; >@@ -80,17 +79,12 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) > > /* TODO: drop the connection with INVALID_PARAMETER */ > >- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >+ status = smbd_smb2_request_verify_sizes(req, 0x24); >+ if (!NT_STATUS_IS_OK(status)) { >+ return smbd_smb2_request_error(req, status); > } >- > inbody = (const uint8_t *)req->in.vector[i+1].iov_base; > >- body_size = SVAL(inbody, 0x00); >- if (body_size != expected_body_size) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >- } >- > dialect_count = SVAL(inbody, 0x02); > if (dialect_count == 0) { > return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >-- >1.7.3.1 > > >From ec3159637c606b28d50abe7aa746ad3b8017fb80 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 6 Sep 2011 14:01:43 +0200 >Subject: [PATCH 03/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_sesssetup.c > >metze >(cherry picked from commit d280d9f945be2d658694c6d4503822e99dc953b5) >--- > source3/smbd/smb2_sesssetup.c | 35 +++++++++-------------------------- > 1 files changed, 9 insertions(+), 26 deletions(-) > >diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c >index 49aabdb..53f9d10 100644 >--- a/source3/smbd/smb2_sesssetup.c >+++ b/source3/smbd/smb2_sesssetup.c >@@ -47,8 +47,6 @@ NTSTATUS smbd_smb2_request_process_sesssetup(struct smbd_smb2_request *smb2req) > uint8_t *outhdr; > DATA_BLOB outbody; > DATA_BLOB outdyn; >- size_t expected_body_size = 0x19; >- size_t body_size; > uint64_t in_session_id; > uint8_t in_security_mode; > uint16_t in_security_offset; >@@ -60,23 +58,17 @@ NTSTATUS smbd_smb2_request_process_sesssetup(struct smbd_smb2_request *smb2req) > DATA_BLOB out_security_buffer = data_blob_null; > NTSTATUS status; > >- inhdr = (const uint8_t *)smb2req->in.vector[i+0].iov_base; >- >- if (smb2req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { >- return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER); >+ status = smbd_smb2_request_verify_sizes(smb2req, 0x19); >+ if (!NT_STATUS_IS_OK(status)) { >+ return smbd_smb2_request_error(smb2req, status); > } >- >+ inhdr = (const uint8_t *)smb2req->in.vector[i+0].iov_base; > inbody = (const uint8_t *)smb2req->in.vector[i+1].iov_base; > >- body_size = SVAL(inbody, 0x00); >- if (body_size != expected_body_size) { >- return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER); >- } >- > in_security_offset = SVAL(inbody, 0x0C); > in_security_length = SVAL(inbody, 0x0E); > >- if (in_security_offset != (SMB2_HDR_BODY + (body_size & 0xFFFFFFFE))) { >+ if (in_security_offset != (SMB2_HDR_BODY + smb2req->in.vector[i+1].iov_len)) { > return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER); > } > >@@ -878,21 +870,12 @@ NTSTATUS smbd_smb2_request_check_session(struct smbd_smb2_request *req) > > NTSTATUS smbd_smb2_request_process_logoff(struct smbd_smb2_request *req) > { >- const uint8_t *inbody; >- int i = req->current_idx; >+ NTSTATUS status; > DATA_BLOB outbody; >- size_t expected_body_size = 0x04; >- size_t body_size; > >- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >- } >- >- inbody = (const uint8_t *)req->in.vector[i+1].iov_base; >- >- body_size = SVAL(inbody, 0x00); >- if (body_size != expected_body_size) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >+ status = smbd_smb2_request_verify_sizes(req, 0x04); >+ if (!NT_STATUS_IS_OK(status)) { >+ return smbd_smb2_request_error(req, status); > } > > /* >-- >1.7.3.1 > > >From da2deca7c3a82a85f4e54a2dc7608469f8b2cec7 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 6 Sep 2011 14:01:43 +0200 >Subject: [PATCH 04/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_tcon.c > >metze >(cherry picked from commit 02f7c37e671c7950619c000b73c5a09ce31c68ac) >--- > source3/smbd/smb2_tcon.c | 32 ++++++++------------------------ > 1 files changed, 8 insertions(+), 24 deletions(-) > >diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c >index ea38d1e..08b5b1e 100644 >--- a/source3/smbd/smb2_tcon.c >+++ b/source3/smbd/smb2_tcon.c >@@ -39,8 +39,6 @@ NTSTATUS smbd_smb2_request_process_tcon(struct smbd_smb2_request *req) > int i = req->current_idx; > uint8_t *outhdr; > DATA_BLOB outbody; >- size_t expected_body_size = 0x09; >- size_t body_size; > uint16_t in_path_offset; > uint16_t in_path_length; > DATA_BLOB in_path_buffer; >@@ -54,21 +52,16 @@ NTSTATUS smbd_smb2_request_process_tcon(struct smbd_smb2_request *req) > NTSTATUS status; > bool ok; > >- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >+ status = smbd_smb2_request_verify_sizes(req, 0x09); >+ if (!NT_STATUS_IS_OK(status)) { >+ return smbd_smb2_request_error(req, status); > } >- > inbody = (const uint8_t *)req->in.vector[i+1].iov_base; > >- body_size = SVAL(inbody, 0x00); >- if (body_size != expected_body_size) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >- } >- > in_path_offset = SVAL(inbody, 0x04); > in_path_length = SVAL(inbody, 0x06); > >- if (in_path_offset != (SMB2_HDR_BODY + (body_size & 0xFFFFFFFE))) { >+ if (in_path_offset != (SMB2_HDR_BODY + req->in.vector[i+1].iov_len)) { > return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); > } > >@@ -339,21 +332,12 @@ NTSTATUS smbd_smb2_request_check_tcon(struct smbd_smb2_request *req) > > NTSTATUS smbd_smb2_request_process_tdis(struct smbd_smb2_request *req) > { >- const uint8_t *inbody; >- int i = req->current_idx; >+ NTSTATUS status; > DATA_BLOB outbody; >- size_t expected_body_size = 0x04; >- size_t body_size; > >- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >- } >- >- inbody = (const uint8_t *)req->in.vector[i+1].iov_base; >- >- body_size = SVAL(inbody, 0x00); >- if (body_size != expected_body_size) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >+ status = smbd_smb2_request_verify_sizes(req, 0x04); >+ if (!NT_STATUS_IS_OK(status)) { >+ return smbd_smb2_request_error(req, status); > } > > /* >-- >1.7.3.1 > > >From 6141564acf3579475132c75f245405742fb29b46 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 6 Sep 2011 14:01:43 +0200 >Subject: [PATCH 05/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_break.c > >metze >(cherry picked from commit 9da2f72d471460d9c953e9cee84c9cfa3611e89e) >--- > source3/smbd/smb2_break.c | 16 ++++------------ > 1 files changed, 4 insertions(+), 12 deletions(-) > >diff --git a/source3/smbd/smb2_break.c b/source3/smbd/smb2_break.c >index 5d5ab41..ce583ac 100644 >--- a/source3/smbd/smb2_break.c >+++ b/source3/smbd/smb2_break.c >@@ -36,28 +36,20 @@ static NTSTATUS smbd_smb2_oplock_break_recv(struct tevent_req *req, > static void smbd_smb2_request_oplock_break_done(struct tevent_req *subreq); > NTSTATUS smbd_smb2_request_process_break(struct smbd_smb2_request *req) > { >- const uint8_t *inhdr; >+ NTSTATUS status; > const uint8_t *inbody; > int i = req->current_idx; >- size_t expected_body_size = 0x18; >- size_t body_size; > uint8_t in_oplock_level; > uint64_t in_file_id_persistent; > uint64_t in_file_id_volatile; > struct tevent_req *subreq; > >- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; >- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >+ status = smbd_smb2_request_verify_sizes(req, 0x18); >+ if (!NT_STATUS_IS_OK(status)) { >+ return smbd_smb2_request_error(req, status); > } >- > inbody = (const uint8_t *)req->in.vector[i+1].iov_base; > >- body_size = SVAL(inbody, 0x00); >- if (body_size != expected_body_size) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >- } >- > in_oplock_level = CVAL(inbody, 0x02); > > if (in_oplock_level != SMB2_OPLOCK_LEVEL_NONE && >-- >1.7.3.1 > > >From cec84baa67e19d5748d43a1d56ee981b81f57e4a Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 6 Sep 2011 14:01:43 +0200 >Subject: [PATCH 06/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_close.c > >metze >(cherry picked from commit e09b3940a769806dcc17d24079375f5d53eca26a) >--- > source3/smbd/smb2_close.c | 15 +++------------ > 1 files changed, 3 insertions(+), 12 deletions(-) > >diff --git a/source3/smbd/smb2_close.c b/source3/smbd/smb2_close.c >index 93ce5ba..ffe08cc 100644 >--- a/source3/smbd/smb2_close.c >+++ b/source3/smbd/smb2_close.c >@@ -30,30 +30,21 @@ static NTSTATUS smbd_smb2_close(struct smbd_smb2_request *req, > > NTSTATUS smbd_smb2_request_process_close(struct smbd_smb2_request *req) > { >- const uint8_t *inhdr; > const uint8_t *inbody; > int i = req->current_idx; > uint8_t *outhdr; > DATA_BLOB outbody; >- size_t expected_body_size = 0x18; >- size_t body_size; > uint16_t in_flags; > uint64_t in_file_id_persistent; > uint64_t in_file_id_volatile; > NTSTATUS status; > >- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; >- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >+ status = smbd_smb2_request_verify_sizes(req, 0x18); >+ if (!NT_STATUS_IS_OK(status)) { >+ return smbd_smb2_request_error(req, status); > } >- > inbody = (const uint8_t *)req->in.vector[i+1].iov_base; > >- body_size = SVAL(inbody, 0x00); >- if (body_size != expected_body_size) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >- } >- > outbody = data_blob_talloc(req->out.vector, NULL, 0x3C); > if (outbody.data == NULL) { > return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY); >-- >1.7.3.1 > > >From b5337ce4ee3e4df8d2a7dcc17fb94f8d979534b7 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 6 Sep 2011 14:01:43 +0200 >Subject: [PATCH 07/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_create.c > >metze >(cherry picked from commit 251815bfd395398857cb60c0b89710ddce7ab19f) >--- > source3/smbd/smb2_create.c | 15 ++++----------- > 1 files changed, 4 insertions(+), 11 deletions(-) > >diff --git a/source3/smbd/smb2_create.c b/source3/smbd/smb2_create.c >index b8557e0..4b19e0c 100644 >--- a/source3/smbd/smb2_create.c >+++ b/source3/smbd/smb2_create.c >@@ -100,8 +100,6 @@ NTSTATUS smbd_smb2_request_process_create(struct smbd_smb2_request *smb2req) > { > const uint8_t *inbody; > int i = smb2req->current_idx; >- size_t expected_body_size = 0x39; >- size_t body_size; > uint8_t in_oplock_level; > uint32_t in_impersonation_level; > uint32_t in_desired_access; >@@ -127,17 +125,12 @@ NTSTATUS smbd_smb2_request_process_create(struct smbd_smb2_request *smb2req) > bool ok; > struct tevent_req *tsubreq; > >- if (smb2req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { >- return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER); >+ status = smbd_smb2_request_verify_sizes(smb2req, 0x39); >+ if (!NT_STATUS_IS_OK(status)) { >+ return smbd_smb2_request_error(smb2req, status); > } >- > inbody = (const uint8_t *)smb2req->in.vector[i+1].iov_base; > >- body_size = SVAL(inbody, 0x00); >- if (body_size != expected_body_size) { >- return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER); >- } >- > in_oplock_level = CVAL(inbody, 0x03); > in_impersonation_level = IVAL(inbody, 0x04); > in_desired_access = IVAL(inbody, 0x18); >@@ -158,7 +151,7 @@ NTSTATUS smbd_smb2_request_process_create(struct smbd_smb2_request *smb2req) > * overlap > */ > >- dyn_offset = SMB2_HDR_BODY + (body_size & 0xFFFFFFFE); >+ dyn_offset = SMB2_HDR_BODY + smb2req->in.vector[i+1].iov_len; > > if (in_name_offset == 0 && in_name_length == 0) { > /* This is ok */ >-- >1.7.3.1 > > >From c2fcc9ae53323b94008707bdc3a603695e36c3df Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 6 Sep 2011 14:01:43 +0200 >Subject: [PATCH 08/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_find.c > >metze >(cherry picked from commit bc95ab99dc84fa6d567a7d4e803552363bbc07a9) >--- > source3/smbd/smb2_find.c | 18 +++++------------- > 1 files changed, 5 insertions(+), 13 deletions(-) > >diff --git a/source3/smbd/smb2_find.c b/source3/smbd/smb2_find.c >index 362dff4..85e0126 100644 >--- a/source3/smbd/smb2_find.c >+++ b/source3/smbd/smb2_find.c >@@ -41,11 +41,9 @@ static NTSTATUS smbd_smb2_find_recv(struct tevent_req *req, > static void smbd_smb2_request_find_done(struct tevent_req *subreq); > NTSTATUS smbd_smb2_request_process_find(struct smbd_smb2_request *req) > { >- const uint8_t *inhdr; >+ NTSTATUS status; > const uint8_t *inbody; > int i = req->current_idx; >- size_t expected_body_size = 0x21; >- size_t body_size; > uint8_t in_file_info_class; > uint8_t in_flags; > uint32_t in_file_index; >@@ -60,18 +58,12 @@ NTSTATUS smbd_smb2_request_process_find(struct smbd_smb2_request *req) > struct tevent_req *subreq; > bool ok; > >- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; >- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >+ status = smbd_smb2_request_verify_sizes(req, 0x21); >+ if (!NT_STATUS_IS_OK(status)) { >+ return smbd_smb2_request_error(req, status); > } >- > inbody = (const uint8_t *)req->in.vector[i+1].iov_base; > >- body_size = SVAL(inbody, 0x00); >- if (body_size != expected_body_size) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >- } >- > in_file_info_class = CVAL(inbody, 0x02); > in_flags = CVAL(inbody, 0x03); > in_file_index = IVAL(inbody, 0x04); >@@ -84,7 +76,7 @@ NTSTATUS smbd_smb2_request_process_find(struct smbd_smb2_request *req) > if (in_file_name_offset == 0 && in_file_name_length == 0) { > /* This is ok */ > } else if (in_file_name_offset != >- (SMB2_HDR_BODY + (body_size & 0xFFFFFFFE))) { >+ (SMB2_HDR_BODY + req->in.vector[i+1].iov_len)) { > return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); > } > >-- >1.7.3.1 > > >From f2459924cc9ef287fc0acc79bed1b70471f3d788 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 6 Sep 2011 14:01:43 +0200 >Subject: [PATCH 09/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_flush.c > >metze >(cherry picked from commit 440f702aa9a020f8cfe13037b7af1ba0dadf86f2) >--- > source3/smbd/smb2_flush.c | 16 ++++------------ > 1 files changed, 4 insertions(+), 12 deletions(-) > >diff --git a/source3/smbd/smb2_flush.c b/source3/smbd/smb2_flush.c >index c3f5a30..9b00eb2 100644 >--- a/source3/smbd/smb2_flush.c >+++ b/source3/smbd/smb2_flush.c >@@ -33,27 +33,19 @@ static NTSTATUS smbd_smb2_flush_recv(struct tevent_req *req); > static void smbd_smb2_request_flush_done(struct tevent_req *subreq); > NTSTATUS smbd_smb2_request_process_flush(struct smbd_smb2_request *req) > { >- const uint8_t *inhdr; >+ NTSTATUS status; > const uint8_t *inbody; > int i = req->current_idx; >- size_t expected_body_size = 0x18; >- size_t body_size; > uint64_t in_file_id_persistent; > uint64_t in_file_id_volatile; > struct tevent_req *subreq; > >- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; >- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >+ status = smbd_smb2_request_verify_sizes(req, 0x18); >+ if (!NT_STATUS_IS_OK(status)) { >+ return smbd_smb2_request_error(req, status); > } >- > inbody = (const uint8_t *)req->in.vector[i+1].iov_base; > >- body_size = SVAL(inbody, 0x00); >- if (body_size != expected_body_size) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >- } >- > in_file_id_persistent = BVAL(inbody, 0x08); > in_file_id_volatile = BVAL(inbody, 0x10); > >-- >1.7.3.1 > > >From ca7e8844ef6c84f277b5ba7b243618a9b84438f1 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 6 Sep 2011 14:01:43 +0200 >Subject: [PATCH 10/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_getinfo.c > >metze >(cherry picked from commit 880eafd7e83ba326be7036605179e8de746f4312) >--- > source3/smbd/smb2_getinfo.c | 18 +++++------------- > 1 files changed, 5 insertions(+), 13 deletions(-) > >diff --git a/source3/smbd/smb2_getinfo.c b/source3/smbd/smb2_getinfo.c >index 3c8c690..61e0cfa 100644 >--- a/source3/smbd/smb2_getinfo.c >+++ b/source3/smbd/smb2_getinfo.c >@@ -44,11 +44,9 @@ static NTSTATUS smbd_smb2_getinfo_recv(struct tevent_req *req, > static void smbd_smb2_request_getinfo_done(struct tevent_req *subreq); > NTSTATUS smbd_smb2_request_process_getinfo(struct smbd_smb2_request *req) > { >- const uint8_t *inhdr; >+ NTSTATUS status; > const uint8_t *inbody; > int i = req->current_idx; >- size_t expected_body_size = 0x29; >- size_t body_size; > uint8_t in_info_type; > uint8_t in_file_info_class; > uint32_t in_output_buffer_length; >@@ -61,18 +59,12 @@ NTSTATUS smbd_smb2_request_process_getinfo(struct smbd_smb2_request *req) > uint64_t in_file_id_volatile; > struct tevent_req *subreq; > >- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; >- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >+ status = smbd_smb2_request_verify_sizes(req, 0x29); >+ if (!NT_STATUS_IS_OK(status)) { >+ return smbd_smb2_request_error(req, status); > } >- > inbody = (const uint8_t *)req->in.vector[i+1].iov_base; > >- body_size = SVAL(inbody, 0x00); >- if (body_size != expected_body_size) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >- } >- > in_info_type = CVAL(inbody, 0x02); > in_file_info_class = CVAL(inbody, 0x03); > in_output_buffer_length = IVAL(inbody, 0x04); >@@ -87,7 +79,7 @@ NTSTATUS smbd_smb2_request_process_getinfo(struct smbd_smb2_request *req) > if (in_input_buffer_offset == 0 && in_input_buffer_length == 0) { > /* This is ok */ > } else if (in_input_buffer_offset != >- (SMB2_HDR_BODY + (body_size & 0xFFFFFFFE))) { >+ (SMB2_HDR_BODY + req->in.vector[i+1].iov_len)) { > return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); > } > >-- >1.7.3.1 > > >From 8e66e1b6d9e2ec0c38b9d9a4595e841a78f8db1e Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 6 Sep 2011 14:01:43 +0200 >Subject: [PATCH 11/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_ioctl.c > >metze >(cherry picked from commit 29b3601c028b8861102b1d988285c78fc17f3b8e) >--- > source3/smbd/smb2_ioctl.c | 18 +++++------------- > 1 files changed, 5 insertions(+), 13 deletions(-) > >diff --git a/source3/smbd/smb2_ioctl.c b/source3/smbd/smb2_ioctl.c >index 88775b4..8f2a471 100644 >--- a/source3/smbd/smb2_ioctl.c >+++ b/source3/smbd/smb2_ioctl.c >@@ -41,11 +41,9 @@ static NTSTATUS smbd_smb2_ioctl_recv(struct tevent_req *req, > static void smbd_smb2_request_ioctl_done(struct tevent_req *subreq); > NTSTATUS smbd_smb2_request_process_ioctl(struct smbd_smb2_request *req) > { >- const uint8_t *inhdr; >+ NTSTATUS status; > const uint8_t *inbody; > int i = req->current_idx; >- size_t expected_body_size = 0x39; >- size_t body_size; > uint32_t in_ctl_code; > uint64_t in_file_id_persistent; > uint64_t in_file_id_volatile; >@@ -56,18 +54,12 @@ NTSTATUS smbd_smb2_request_process_ioctl(struct smbd_smb2_request *req) > uint32_t in_flags; > struct tevent_req *subreq; > >- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; >- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >+ status = smbd_smb2_request_verify_sizes(req, 0x39); >+ if (!NT_STATUS_IS_OK(status)) { >+ return smbd_smb2_request_error(req, status); > } >- > inbody = (const uint8_t *)req->in.vector[i+1].iov_base; > >- body_size = SVAL(inbody, 0x00); >- if (body_size != expected_body_size) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >- } >- > in_ctl_code = IVAL(inbody, 0x04); > in_file_id_persistent = BVAL(inbody, 0x08); > in_file_id_volatile = BVAL(inbody, 0x10); >@@ -76,7 +68,7 @@ NTSTATUS smbd_smb2_request_process_ioctl(struct smbd_smb2_request *req) > in_max_output_length = IVAL(inbody, 0x2C); > in_flags = IVAL(inbody, 0x30); > >- if (in_input_offset != (SMB2_HDR_BODY + (body_size & 0xFFFFFFFE))) { >+ if (in_input_offset != (SMB2_HDR_BODY + req->in.vector[i+1].iov_len)) { > return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); > } > >-- >1.7.3.1 > > >From 63629ae4d6f8e5640b5d46044ff61f2365246ccc Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 6 Sep 2011 14:01:43 +0200 >Subject: [PATCH 12/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_keepalive.c > >metze >(cherry picked from commit 22d479f75794b7c5fcac2fd47fbfd767700507d6) >--- > source3/smbd/smb2_keepalive.c | 17 ++++------------- > 1 files changed, 4 insertions(+), 13 deletions(-) > >diff --git a/source3/smbd/smb2_keepalive.c b/source3/smbd/smb2_keepalive.c >index a830260..24a4f8e 100644 >--- a/source3/smbd/smb2_keepalive.c >+++ b/source3/smbd/smb2_keepalive.c >@@ -25,21 +25,12 @@ > > NTSTATUS smbd_smb2_request_process_keepalive(struct smbd_smb2_request *req) > { >- const uint8_t *inbody; >- int i = req->current_idx; > DATA_BLOB outbody; >- size_t expected_body_size = 0x04; >- size_t body_size; >+ NTSTATUS status; > >- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >- } >- >- inbody = (const uint8_t *)req->in.vector[i+1].iov_base; >- >- body_size = SVAL(inbody, 0x00); >- if (body_size != expected_body_size) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >+ status = smbd_smb2_request_verify_sizes(req, 0x04); >+ if (!NT_STATUS_IS_OK(status)) { >+ return smbd_smb2_request_error(req, status); > } > > /* TODO: update some time stamps */ >-- >1.7.3.1 > > >From 7b328b72d4e5b9bf96ed1694c2cb3a6813de5dde Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 6 Sep 2011 14:01:43 +0200 >Subject: [PATCH 13/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_lock.c > >metze >(cherry picked from commit a358eee2d8670d4a1675e82562fa704fa45a71e6) >--- > source3/smbd/smb2_lock.c | 16 +++++----------- > 1 files changed, 5 insertions(+), 11 deletions(-) > >diff --git a/source3/smbd/smb2_lock.c b/source3/smbd/smb2_lock.c >index fce3c7c..28612ae 100644 >--- a/source3/smbd/smb2_lock.c >+++ b/source3/smbd/smb2_lock.c >@@ -58,8 +58,6 @@ NTSTATUS smbd_smb2_request_process_lock(struct smbd_smb2_request *req) > const uint8_t *inhdr; > const uint8_t *inbody; > const int i = req->current_idx; >- size_t expected_body_size = 0x30; >- size_t body_size; > uint32_t in_smbpid; > uint16_t in_lock_count; > uint64_t in_file_id_persistent; >@@ -68,19 +66,15 @@ NTSTATUS smbd_smb2_request_process_lock(struct smbd_smb2_request *req) > struct tevent_req *subreq; > const uint8_t *lock_buffer; > uint16_t l; >+ NTSTATUS status; > >- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; >- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >+ status = smbd_smb2_request_verify_sizes(req, 0x30); >+ if (!NT_STATUS_IS_OK(status)) { >+ return smbd_smb2_request_error(req, status); > } >- >+ inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; > inbody = (const uint8_t *)req->in.vector[i+1].iov_base; > >- body_size = SVAL(inbody, 0x00); >- if (body_size != expected_body_size) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >- } >- > in_smbpid = IVAL(inhdr, SMB2_HDR_PID); > > in_lock_count = CVAL(inbody, 0x02); >-- >1.7.3.1 > > >From deff5218dac2d6f071c89166dbd3334d07dcd98f Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 6 Sep 2011 14:01:43 +0200 >Subject: [PATCH 14/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_notify.c > >metze >(cherry picked from commit c6480366e551d1dc683c2648bd897bdc7c1b90df) >--- > source3/smbd/smb2_notify.c | 16 ++++------------ > 1 files changed, 4 insertions(+), 12 deletions(-) > >diff --git a/source3/smbd/smb2_notify.c b/source3/smbd/smb2_notify.c >index 9e377ce..a8b1eb4 100644 >--- a/source3/smbd/smb2_notify.c >+++ b/source3/smbd/smb2_notify.c >@@ -47,11 +47,9 @@ static NTSTATUS smbd_smb2_notify_recv(struct tevent_req *req, > static void smbd_smb2_request_notify_done(struct tevent_req *subreq); > NTSTATUS smbd_smb2_request_process_notify(struct smbd_smb2_request *req) > { >- const uint8_t *inhdr; >+ NTSTATUS status; > const uint8_t *inbody; > int i = req->current_idx; >- size_t expected_body_size = 0x20; >- size_t body_size; > uint16_t in_flags; > uint32_t in_output_buffer_length; > uint64_t in_file_id_persistent; >@@ -59,18 +57,12 @@ NTSTATUS smbd_smb2_request_process_notify(struct smbd_smb2_request *req) > uint64_t in_completion_filter; > struct tevent_req *subreq; > >- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; >- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >+ status = smbd_smb2_request_verify_sizes(req, 0x20); >+ if (!NT_STATUS_IS_OK(status)) { >+ return smbd_smb2_request_error(req, status); > } >- > inbody = (const uint8_t *)req->in.vector[i+1].iov_base; > >- body_size = SVAL(inbody, 0x00); >- if (body_size != expected_body_size) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >- } >- > in_flags = SVAL(inbody, 0x02); > in_output_buffer_length = IVAL(inbody, 0x04); > in_file_id_persistent = BVAL(inbody, 0x08); >-- >1.7.3.1 > > >From c6ee9e882cbf85edd0554ad39fb84ccef9eb3d10 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 6 Sep 2011 14:01:43 +0200 >Subject: [PATCH 15/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_read.c > >metze >(cherry picked from commit f3a8d65bdfe496f080a74eb7104500bd8e2b0179) >--- > source3/smbd/smb2_read.c | 16 +++++----------- > 1 files changed, 5 insertions(+), 11 deletions(-) > >diff --git a/source3/smbd/smb2_read.c b/source3/smbd/smb2_read.c >index a88781e..89fc420 100644 >--- a/source3/smbd/smb2_read.c >+++ b/source3/smbd/smb2_read.c >@@ -44,11 +44,10 @@ static NTSTATUS smbd_smb2_read_recv(struct tevent_req *req, > static void smbd_smb2_request_read_done(struct tevent_req *subreq); > NTSTATUS smbd_smb2_request_process_read(struct smbd_smb2_request *req) > { >+ NTSTATUS status; > const uint8_t *inhdr; > const uint8_t *inbody; > int i = req->current_idx; >- size_t expected_body_size = 0x31; >- size_t body_size; > uint32_t in_smbpid; > uint32_t in_length; > uint64_t in_offset; >@@ -58,18 +57,13 @@ NTSTATUS smbd_smb2_request_process_read(struct smbd_smb2_request *req) > uint32_t in_remaining_bytes; > struct tevent_req *subreq; > >- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; >- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >+ status = smbd_smb2_request_verify_sizes(req, 0x31); >+ if (!NT_STATUS_IS_OK(status)) { >+ return smbd_smb2_request_error(req, status); > } >- >+ inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; > inbody = (const uint8_t *)req->in.vector[i+1].iov_base; > >- body_size = SVAL(inbody, 0x00); >- if (body_size != expected_body_size) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >- } >- > in_smbpid = IVAL(inhdr, SMB2_HDR_PID); > > in_length = IVAL(inbody, 0x04); >-- >1.7.3.1 > > >From f1a27ab30771afd6535da984f1b31bb8aa2918bd Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 6 Sep 2011 14:01:43 +0200 >Subject: [PATCH 16/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_setinfo.c > >metze >(cherry picked from commit 3643a05ba63ac5d8466dc8391b5d05efeedb5ac4) >--- > source3/smbd/smb2_setinfo.c | 18 +++++------------- > 1 files changed, 5 insertions(+), 13 deletions(-) > >diff --git a/source3/smbd/smb2_setinfo.c b/source3/smbd/smb2_setinfo.c >index 96b44aa..2d39f11 100644 >--- a/source3/smbd/smb2_setinfo.c >+++ b/source3/smbd/smb2_setinfo.c >@@ -39,11 +39,9 @@ static NTSTATUS smbd_smb2_setinfo_recv(struct tevent_req *req); > static void smbd_smb2_request_setinfo_done(struct tevent_req *subreq); > NTSTATUS smbd_smb2_request_process_setinfo(struct smbd_smb2_request *req) > { >- const uint8_t *inhdr; >+ NTSTATUS status; > const uint8_t *inbody; > int i = req->current_idx; >- size_t expected_body_size = 0x21; >- size_t body_size; > uint8_t in_info_type; > uint8_t in_file_info_class; > uint16_t in_input_buffer_offset; >@@ -54,18 +52,12 @@ NTSTATUS smbd_smb2_request_process_setinfo(struct smbd_smb2_request *req) > uint64_t in_file_id_volatile; > struct tevent_req *subreq; > >- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; >- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >+ status = smbd_smb2_request_verify_sizes(req, 0x21); >+ if (!NT_STATUS_IS_OK(status)) { >+ return smbd_smb2_request_error(req, status); > } >- > inbody = (const uint8_t *)req->in.vector[i+1].iov_base; > >- body_size = SVAL(inbody, 0x00); >- if (body_size != expected_body_size) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >- } >- > in_info_type = CVAL(inbody, 0x02); > in_file_info_class = CVAL(inbody, 0x03); > in_input_buffer_length = IVAL(inbody, 0x04); >@@ -78,7 +70,7 @@ NTSTATUS smbd_smb2_request_process_setinfo(struct smbd_smb2_request *req) > if (in_input_buffer_offset == 0 && in_input_buffer_length == 0) { > /* This is ok */ > } else if (in_input_buffer_offset != >- (SMB2_HDR_BODY + (body_size & 0xFFFFFFFE))) { >+ (SMB2_HDR_BODY + req->in.vector[i+1].iov_len)) { > return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); > } > >-- >1.7.3.1 > > >From 3a67bac8986f3bf1fc0b3e444d26253fdc7c17d9 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 6 Sep 2011 14:01:43 +0200 >Subject: [PATCH 17/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_write.c > >metze >(cherry picked from commit 1a726b88ec74962d0317740bbdf576ddcffb52bc) >--- > source3/smbd/smb2_write.c | 18 ++++++------------ > 1 files changed, 6 insertions(+), 12 deletions(-) > >diff --git a/source3/smbd/smb2_write.c b/source3/smbd/smb2_write.c >index c0cba804..0202098 100644 >--- a/source3/smbd/smb2_write.c >+++ b/source3/smbd/smb2_write.c >@@ -39,11 +39,10 @@ static NTSTATUS smbd_smb2_write_recv(struct tevent_req *req, > static void smbd_smb2_request_write_done(struct tevent_req *subreq); > NTSTATUS smbd_smb2_request_process_write(struct smbd_smb2_request *req) > { >+ NTSTATUS status; > const uint8_t *inhdr; > const uint8_t *inbody; > int i = req->current_idx; >- size_t expected_body_size = 0x31; >- size_t body_size; > uint32_t in_smbpid; > uint16_t in_data_offset; > uint32_t in_data_length; >@@ -54,18 +53,13 @@ NTSTATUS smbd_smb2_request_process_write(struct smbd_smb2_request *req) > uint32_t in_flags; > struct tevent_req *subreq; > >- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; >- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >+ status = smbd_smb2_request_verify_sizes(req, 0x31); >+ if (!NT_STATUS_IS_OK(status)) { >+ return smbd_smb2_request_error(req, status); > } >- >+ inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; > inbody = (const uint8_t *)req->in.vector[i+1].iov_base; > >- body_size = SVAL(inbody, 0x00); >- if (body_size != expected_body_size) { >- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >- } >- > in_smbpid = IVAL(inhdr, SMB2_HDR_PID); > > in_data_offset = SVAL(inbody, 0x02); >@@ -75,7 +69,7 @@ NTSTATUS smbd_smb2_request_process_write(struct smbd_smb2_request *req) > in_file_id_volatile = BVAL(inbody, 0x18); > in_flags = IVAL(inbody, 0x2C); > >- if (in_data_offset != (SMB2_HDR_BODY + (body_size & 0xFFFFFFFE))) { >+ if (in_data_offset != (SMB2_HDR_BODY + req->in.vector[i+1].iov_len)) { > return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); > } > >-- >1.7.3.1 > > >From d29ac516b65c5fa08adfb603b9426806244d178e Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 6 Sep 2011 14:14:52 +0200 >Subject: [PATCH 18/23] s3:smb2_server: return BAD_NETWORK_NAME if the path is terminated in SMB2_TCON > >metze >(cherry picked from commit 68b33aa61ac393c2737969f8449adce3e3096d73) >--- > source3/smbd/smb2_tcon.c | 8 ++++++++ > 1 files changed, 8 insertions(+), 0 deletions(-) > >diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c >index 08b5b1e..8644e56 100644 >--- a/source3/smbd/smb2_tcon.c >+++ b/source3/smbd/smb2_tcon.c >@@ -81,6 +81,14 @@ NTSTATUS smbd_smb2_request_process_tcon(struct smbd_smb2_request *req) > return smbd_smb2_request_error(req, NT_STATUS_ILLEGAL_CHARACTER); > } > >+ if (in_path_buffer.length == 0) { >+ in_path_string_size = 0; >+ } >+ >+ if (strlen(in_path_string) != in_path_string_size) { >+ return smbd_smb2_request_error(req, NT_STATUS_BAD_NETWORK_NAME); >+ } >+ > status = smbd_smb2_tree_connect(req, in_path_string, > &out_share_type, > &out_share_flags, >-- >1.7.3.1 > > >From 94f754c9d2cb5459c4bd55165713f98f6fde5fec Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 6 Sep 2011 14:14:52 +0200 >Subject: [PATCH 19/23] s3:smb2_server: return OBJECT_NAME_INVALID if the path is terminated in SMB2_CREATE > >metze >(cherry picked from commit 1bc93c2605e14104237bb100db1d8acb1e7fe389) >--- > source3/smbd/smb2_create.c | 8 ++++++++ > 1 files changed, 8 insertions(+), 0 deletions(-) > >diff --git a/source3/smbd/smb2_create.c b/source3/smbd/smb2_create.c >index 4b19e0c..fb698f0 100644 >--- a/source3/smbd/smb2_create.c >+++ b/source3/smbd/smb2_create.c >@@ -212,6 +212,14 @@ NTSTATUS smbd_smb2_request_process_create(struct smbd_smb2_request *smb2req) > return smbd_smb2_request_error(smb2req, NT_STATUS_ILLEGAL_CHARACTER); > } > >+ if (in_name_buffer.length == 0) { >+ in_name_string_size = 0; >+ } >+ >+ if (strlen(in_name_string) != in_name_string_size) { >+ return smbd_smb2_request_error(smb2req, NT_STATUS_OBJECT_NAME_INVALID); >+ } >+ > ZERO_STRUCT(in_context_blobs); > status = smb2_create_blob_parse(smb2req, in_context_buffer, &in_context_blobs); > if (!NT_STATUS_IS_OK(status)) { >-- >1.7.3.1 > > >From 5022c9f69b618cf5804634cfc0d676223fcae69d Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 6 Sep 2011 14:14:52 +0200 >Subject: [PATCH 20/23] s3:smb2_server: return OBJECT_NAME_INVALID if the path is terminated in SMB2_FIND/QUERY_DIRECTORY > >metze > >Autobuild-User: Stefan Metzmacher <metze@samba.org> >Autobuild-Date: Wed Sep 7 12:15:51 CEST 2011 on sn-devel-104 >(cherry picked from commit 9bc4decc1cba701926fc8081c3903aac754a6f51) >--- > source3/smbd/smb2_find.c | 8 ++++++++ > 1 files changed, 8 insertions(+), 0 deletions(-) > >diff --git a/source3/smbd/smb2_find.c b/source3/smbd/smb2_find.c >index 85e0126..4a49f2a 100644 >--- a/source3/smbd/smb2_find.c >+++ b/source3/smbd/smb2_find.c >@@ -107,6 +107,14 @@ NTSTATUS smbd_smb2_request_process_find(struct smbd_smb2_request *req) > return smbd_smb2_request_error(req, NT_STATUS_ILLEGAL_CHARACTER); > } > >+ if (in_file_name_buffer.length == 0) { >+ in_file_name_string_size = 0; >+ } >+ >+ if (strlen(in_file_name_string) != in_file_name_string_size) { >+ return smbd_smb2_request_error(req, NT_STATUS_OBJECT_NAME_INVALID); >+ } >+ > if (req->compat_chain_fsp) { > /* skip check */ > } else if (in_file_id_persistent != in_file_id_volatile) { >-- >1.7.3.1 > > >From 80e2a33b56db29e2e984f7f0f372cecd4ca00daa Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 14 Sep 2011 13:04:28 +0200 >Subject: [PATCH 21/23] s3:smb2_server: SMB2_OP_GETINFO doesn't require at least 1 dyn byte > >metze >(cherry picked from commit 563fa741f6a34a1300c81a8474ca87346a9f5cca) >--- > source3/smbd/smb2_server.c | 14 +++++++++++++- > 1 files changed, 13 insertions(+), 1 deletions(-) > >diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c >index 811e6d3..fbfe3e7 100644 >--- a/source3/smbd/smb2_server.c >+++ b/source3/smbd/smb2_server.c >@@ -1128,9 +1128,12 @@ static NTSTATUS smbd_smb2_request_process_cancel(struct smbd_smb2_request *req) > NTSTATUS smbd_smb2_request_verify_sizes(struct smbd_smb2_request *req, > size_t expected_body_size) > { >+ const uint8_t *inhdr; >+ uint16_t opcode; > const uint8_t *inbody; > int i = req->current_idx; > size_t body_size; >+ size_t min_dyn_size = expected_body_size & 0x00000001; > > /* > * The following should be checked already. >@@ -1145,6 +1148,15 @@ NTSTATUS smbd_smb2_request_verify_sizes(struct smbd_smb2_request *req, > return NT_STATUS_INTERNAL_ERROR; > } > >+ inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; >+ opcode = SVAL(inhdr, SMB2_HDR_OPCODE); >+ >+ switch (opcode) { >+ case SMB2_OP_GETINFO: >+ min_dyn_size = 0; >+ break; >+ } >+ > /* > * Now check the expected body size, > * where the last byte might be in the >@@ -1153,7 +1165,7 @@ NTSTATUS smbd_smb2_request_verify_sizes(struct smbd_smb2_request *req, > if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { > return NT_STATUS_INVALID_PARAMETER; > } >- if (req->in.vector[i+2].iov_len < (expected_body_size & 0x00000001)) { >+ if (req->in.vector[i+2].iov_len < min_dyn_size) { > return NT_STATUS_INVALID_PARAMETER; > } > >-- >1.7.3.1 > > >From 89ecae2e0507572f194f7a3d62c29d7f531db91d Mon Sep 17 00:00:00 2001 >From: David Disseldorp <ddiss@suse.de> >Date: Sun, 25 Sep 2011 23:39:07 +0200 >Subject: [PATCH 22/23] s3-smb2_server: SMB2_OP_IOCTL doesn't require at least 1 dyn byte > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 18482957daa2e2122ef39426a8fff167df3c9377) >--- > source3/smbd/smb2_server.c | 1 + > 1 files changed, 1 insertions(+), 0 deletions(-) > >diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c >index fbfe3e7..0d22d84 100644 >--- a/source3/smbd/smb2_server.c >+++ b/source3/smbd/smb2_server.c >@@ -1152,6 +1152,7 @@ NTSTATUS smbd_smb2_request_verify_sizes(struct smbd_smb2_request *req, > opcode = SVAL(inhdr, SMB2_HDR_OPCODE); > > switch (opcode) { >+ case SMB2_OP_IOCTL: > case SMB2_OP_GETINFO: > min_dyn_size = 0; > break; >-- >1.7.3.1 > > >From a9dae1554159ad68baedc8fb83f005c34fd9e912 Mon Sep 17 00:00:00 2001 >From: David Disseldorp <ddiss@suse.de> >Date: Wed, 28 Sep 2011 14:45:42 +0200 >Subject: [PATCH 23/23] s3-smb2_server: fix ioctl InputOffset checking > >Currently the InputOffset is always check to point to the input data >buffer, regardless of whether input data is present. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit dbcd59f46b0d2125dfb6eb82b3d92be228c6ae4b) >--- > source3/smbd/smb2_ioctl.c | 11 ++++++++++- > 1 files changed, 10 insertions(+), 1 deletions(-) > >diff --git a/source3/smbd/smb2_ioctl.c b/source3/smbd/smb2_ioctl.c >index 8f2a471..17b9154 100644 >--- a/source3/smbd/smb2_ioctl.c >+++ b/source3/smbd/smb2_ioctl.c >@@ -68,7 +68,16 @@ NTSTATUS smbd_smb2_request_process_ioctl(struct smbd_smb2_request *req) > in_max_output_length = IVAL(inbody, 0x2C); > in_flags = IVAL(inbody, 0x30); > >- if (in_input_offset != (SMB2_HDR_BODY + req->in.vector[i+1].iov_len)) { >+ /* >+ * InputOffset (4 bytes): The offset, in bytes, from the beginning of >+ * the SMB2 header to the input data buffer. If no input data is >+ * required for the FSCTL/IOCTL command being issued, the client SHOULD >+ * set this value to 0.<49> >+ * <49> If no input data is required for the FSCTL/IOCTL command being >+ * issued, Windows-based clients set this field to any value. >+ */ >+ if ((in_input_length > 0) >+ && (in_input_offset != (SMB2_HDR_BODY + req->in.vector[i+1].iov_len))) { > return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); > } > >-- >1.7.3.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=6986">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
metze
:
review+
ddiss
:
review+
Actions:
View
Attachments on
bug 8520
: 6986