The Samba-Bugzilla – Attachment 6992 Details for
Bug 8473
smb2_find uses a hard coded max reply size of 0x10000 instead of smb2_max_trans
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for v3-6-test
tmp36.diff (text/plain), 13.26 KB, created by
Stefan Metzmacher
on 2011-10-12 19:53:48 UTC
(
hide
)
Description:
Patch for v3-6-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2011-10-12 19:53:48 UTC
Size:
13.26 KB
patch
obsolete
>From fdcda5f18e3bcc920ac37384a378c60c005e39a3 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 5 Sep 2011 12:14:06 +0200 >Subject: [PATCH 1/6] s3:smb2_server: max_trans, max_read and max_write are limited to 64 kilobytes > >Only if SMB2_CAP_LARGE_MTU is supported we should announce larger limits. > >metze >(cherry picked from commit e603929b9801ad6cc47dead19d27b42fe46489c7) >--- > source3/smbd/smb2_negprot.c | 20 +++++++++++++++++--- > 1 files changed, 17 insertions(+), 3 deletions(-) > >diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c >index 9245d6d..414f590 100644 >--- a/source3/smbd/smb2_negprot.c >+++ b/source3/smbd/smb2_negprot.c >@@ -76,6 +76,10 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) > uint16_t dialect_count; > uint16_t dialect = 0; > uint32_t capabilities; >+ uint32_t max_limit; >+ uint32_t max_trans = lp_smb2_max_trans(); >+ uint32_t max_read = lp_smb2_max_read(); >+ uint32_t max_write = lp_smb2_max_write(); > > /* TODO: drop the connection with INVALID_PARAMETER */ > >@@ -133,6 +137,16 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) > capabilities |= SMB2_CAP_DFS; > } > >+ /* >+ * Unless we implement SMB2_CAP_LARGE_MTU, >+ * 0x10000 (65536) is the maximum allowed message size >+ */ >+ max_limit = 0x10000; >+ >+ max_trans = MIN(max_limit, max_trans); >+ max_read = MIN(max_limit, max_read); >+ max_write = MIN(max_limit, max_write); >+ > security_offset = SMB2_HDR_BODY + 0x40; > > #if 1 >@@ -158,9 +172,9 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) > negprot_spnego_blob.data, 16); /* server guid */ > SIVAL(outbody.data, 0x18, > capabilities); /* capabilities */ >- SIVAL(outbody.data, 0x1C, lp_smb2_max_trans()); /* max transact size */ >- SIVAL(outbody.data, 0x20, lp_smb2_max_read()); /* max read size */ >- SIVAL(outbody.data, 0x24, lp_smb2_max_write()); /* max write size */ >+ SIVAL(outbody.data, 0x1C, max_trans); /* max transact size */ >+ SIVAL(outbody.data, 0x20, max_trans); /* max read size */ >+ SIVAL(outbody.data, 0x24, max_trans); /* max write size */ > SBVAL(outbody.data, 0x28, 0); /* system time */ > SBVAL(outbody.data, 0x30, 0); /* server start time */ > SSVAL(outbody.data, 0x38, >-- >1.7.4.1 > > >From 2eeb1dda480811c23f407140f19a3c2c5fe0705c Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 23 Sep 2011 06:37:35 +0200 >Subject: [PATCH 2/6] s3:smbd: disconnect the socket if we got an unexpected request > >If we got a SMB2_OP_NEGPROT after the protocol is already negotiated >or if we got a non SMB2_OP_NEGPROT before the protocol was negotiated >we should close the connection (as windows does). > >metze > >Autobuild-User: Stefan Metzmacher <metze@samba.org> >Autobuild-Date: Fri Sep 23 12:30:50 CEST 2011 on sn-devel-104 >(cherry picked from commit 5494856294384df4360d85e68abc03c43dc16e06) >--- > source3/smbd/smb2_negprot.c | 1 - > source3/smbd/smb2_server.c | 20 ++++++++++++++++++++ > 2 files changed, 20 insertions(+), 1 deletions(-) > >diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c >index 414f590..a9d432a 100644 >--- a/source3/smbd/smb2_negprot.c >+++ b/source3/smbd/smb2_negprot.c >@@ -81,7 +81,6 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) > uint32_t max_read = lp_smb2_max_read(); > uint32_t max_write = lp_smb2_max_write(); > >-/* TODO: drop the connection with INVALID_PARAMETER */ > > status = smbd_smb2_request_verify_sizes(req, 0x24); > if (!NT_STATUS_IS_OK(status)) { >diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c >index 0d22d84..84390c8 100644 >--- a/source3/smbd/smb2_server.c >+++ b/source3/smbd/smb2_server.c >@@ -1203,6 +1203,26 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req) > smb2_opcode_name(opcode), > (unsigned long long)mid)); > >+ if (get_Protocol() >= PROTOCOL_SMB2_02) { >+ /* >+ * once the protocol is negotiated >+ * SMB2_OP_NEGPROT is not allowed anymore >+ */ >+ if (opcode == SMB2_OP_NEGPROT) { >+ /* drop the connection */ >+ return NT_STATUS_INVALID_PARAMETER; >+ } >+ } else { >+ /* >+ * if the protocol is not negotiated yet >+ * only SMB2_OP_NEGPROT is allowed. >+ */ >+ if (opcode != SMB2_OP_NEGPROT) { >+ /* drop the connection */ >+ return NT_STATUS_INVALID_PARAMETER; >+ } >+ } >+ > allowed_flags = SMB2_HDR_FLAG_CHAINED | > SMB2_HDR_FLAG_SIGNED | > SMB2_HDR_FLAG_DFS; >-- >1.7.4.1 > > >From ab0e9bd8f6b0fbfca3478272b71f8b53d3f0ef28 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 12 Oct 2011 18:34:26 +0200 >Subject: [PATCH 3/6] s4:torture/smb2: we only support 64KB reads/writes for now > >We don't have multi-credit support yet. > >metze >--- > source4/torture/smb2/connect.c | 12 ++++++------ > source4/torture/smb2/read.c | 4 ++-- > 2 files changed, 8 insertions(+), 8 deletions(-) > >diff --git a/source4/torture/smb2/connect.c b/source4/torture/smb2/connect.c >index 1b69c18..b383a67 100644 >--- a/source4/torture/smb2/connect.c >+++ b/source4/torture/smb2/connect.c >@@ -71,14 +71,14 @@ static NTSTATUS torture_smb2_write(struct torture_context *tctx, struct smb2_tre > NTSTATUS status; > DATA_BLOB data; > int i; >+ uint32_t size = torture_setting_int(tctx, "smb2maxwrite", 64*1024); > >- if (torture_setting_bool(tctx, "dangerous", false)) { >- data = data_blob_talloc(tree, NULL, 160000); >- } else if (torture_setting_bool(tctx, "samba4", false)) { >- data = data_blob_talloc(tree, NULL, UINT16_MAX); >- } else { >- data = data_blob_talloc(tree, NULL, torture_setting_int(tctx, "smb2maxwrite", 120000)); >+ data = data_blob_talloc(tree, NULL, size); >+ if (size != data.length) { >+ printf("data_blob_talloc(%s) failed\n", size); >+ return NT_STATUS_NO_MEMORY; > } >+ > for (i=0;i<data.length;i++) { > data.data[i] = i; > } >diff --git a/source4/torture/smb2/read.c b/source4/torture/smb2/read.c >index f27ce24..076ae9c 100644 >--- a/source4/torture/smb2/read.c >+++ b/source4/torture/smb2/read.c >@@ -51,7 +51,7 @@ static bool test_read_eof(struct torture_context *torture, struct smb2_tree *tre > bool ret = true; > NTSTATUS status; > struct smb2_handle h; >- uint8_t buf[70000]; >+ uint8_t buf[64*1024]; > struct smb2_read rd; > TALLOC_CTX *tmp_ctx = talloc_new(tree); > >@@ -134,7 +134,7 @@ static bool test_read_position(struct torture_context *torture, struct smb2_tree > bool ret = true; > NTSTATUS status; > struct smb2_handle h; >- uint8_t buf[70000]; >+ uint8_t buf[64*1024]; > struct smb2_read rd; > TALLOC_CTX *tmp_ctx = talloc_new(tree); > union smb_fileinfo info; >-- >1.7.4.1 > > >From 2d15e4e36022df89750e7466eaf03790ccdd8999 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 23 Sep 2011 17:18:14 +0200 >Subject: [PATCH 4/6] s3:smb2_server: remember the max_{trans,read,write} sizes we negotiated > >We should enforce the negotiated max sizes instead of the >lp_smb2_max_*() sizes. > >metze >--- > source3/smbd/globals.h | 3 +++ > source3/smbd/smb2_find.c | 2 +- > source3/smbd/smb2_negprot.c | 4 +++- > source3/smbd/smb2_notify.c | 2 +- > source3/smbd/smb2_read.c | 4 ++-- > source3/smbd/smb2_write.c | 5 ++--- > 6 files changed, 12 insertions(+), 8 deletions(-) > >diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h >index 7033848..9304a43 100644 >--- a/source3/smbd/globals.h >+++ b/source3/smbd/globals.h >@@ -604,6 +604,9 @@ struct smbd_server_connection { > uint64_t seqnum_low; > uint32_t credits_granted; > uint32_t max_credits; >+ uint32_t max_trans; >+ uint32_t max_read; >+ uint32_t max_write; > struct bitmap *credits_bitmap; > bool compound_related_in_progress; > } smb2; >diff --git a/source3/smbd/smb2_find.c b/source3/smbd/smb2_find.c >index 4a49f2a..3dcc768 100644 >--- a/source3/smbd/smb2_find.c >+++ b/source3/smbd/smb2_find.c >@@ -281,7 +281,7 @@ static struct tevent_req *smbd_smb2_find_send(TALLOC_CTX *mem_ctx, > return tevent_req_post(req, ev); > } > >- if (in_output_buffer_length > lp_smb2_max_trans()) { >+ if (in_output_buffer_length > smb2req->sconn->smb2.max_trans) { > tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); > return tevent_req_post(req, ev); > } >diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c >index a9d432a..2f45b8c 100644 >--- a/source3/smbd/smb2_negprot.c >+++ b/source3/smbd/smb2_negprot.c >@@ -81,7 +81,6 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) > uint32_t max_read = lp_smb2_max_read(); > uint32_t max_write = lp_smb2_max_write(); > >- > status = smbd_smb2_request_verify_sizes(req, 0x24); > if (!NT_STATUS_IS_OK(status)) { > return smbd_smb2_request_error(req, status); >@@ -185,6 +184,9 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) > outdyn = security_buffer; > > req->sconn->using_smb2 = true; >+ req->sconn->smb2.max_trans = max_trans; >+ req->sconn->smb2.max_read = max_read; >+ req->sconn->smb2.max_write = max_write; > > return smbd_smb2_request_done(req, outbody, &outdyn); > } >diff --git a/source3/smbd/smb2_notify.c b/source3/smbd/smb2_notify.c >index a8b1eb4..49c6a54 100644 >--- a/source3/smbd/smb2_notify.c >+++ b/source3/smbd/smb2_notify.c >@@ -73,7 +73,7 @@ NTSTATUS smbd_smb2_request_process_notify(struct smbd_smb2_request *req) > * 0x00010000 is what Windows 7 uses, > * Windows 2008 uses 0x00080000 > */ >- if (in_output_buffer_length > lp_smb2_max_trans()) { >+ if (in_output_buffer_length > req->sconn->smb2.max_trans) { > return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); > } > >diff --git a/source3/smbd/smb2_read.c b/source3/smbd/smb2_read.c >index 89fc420..21082e6 100644 >--- a/source3/smbd/smb2_read.c >+++ b/source3/smbd/smb2_read.c >@@ -74,9 +74,9 @@ NTSTATUS smbd_smb2_request_process_read(struct smbd_smb2_request *req) > in_remaining_bytes = IVAL(inbody, 0x28); > > /* check the max read size */ >- if (in_length > lp_smb2_max_read()) { >+ if (in_length > req->sconn->smb2.max_read) { > DEBUG(0,("here:%s: 0x%08X: 0x%08X\n", >- __location__, in_length, lp_smb2_max_read())); >+ __location__, in_length, req->sconn->smb2.max_read)); > return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); > } > >diff --git a/source3/smbd/smb2_write.c b/source3/smbd/smb2_write.c >index 0202098..3a6ea9b 100644 >--- a/source3/smbd/smb2_write.c >+++ b/source3/smbd/smb2_write.c >@@ -78,11 +78,10 @@ NTSTATUS smbd_smb2_request_process_write(struct smbd_smb2_request *req) > } > > /* check the max write size */ >- if (in_data_length > lp_smb2_max_write()) { >- /* This is a warning. */ >+ if (in_data_length > req->sconn->smb2.max_write) { > DEBUG(2,("smbd_smb2_request_process_write : " > "client ignored max write :%s: 0x%08X: 0x%08X\n", >- __location__, in_data_length, lp_smb2_max_write())); >+ __location__, in_data_length, req->sconn->smb2.max_write)); > #if 0 > return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); > #endif >-- >1.7.4.1 > > >From 6c07cd7e55681dfeff77f1e45152c86483848d43 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 12 Oct 2011 16:58:46 +0200 >Subject: [PATCH 5/6] s3:smb2_server: reject writes larger then the negotiated max_write size > >metze >--- > source3/smbd/smb2_write.c | 2 -- > 1 files changed, 0 insertions(+), 2 deletions(-) > >diff --git a/source3/smbd/smb2_write.c b/source3/smbd/smb2_write.c >index 3a6ea9b..b2360ca 100644 >--- a/source3/smbd/smb2_write.c >+++ b/source3/smbd/smb2_write.c >@@ -82,9 +82,7 @@ NTSTATUS smbd_smb2_request_process_write(struct smbd_smb2_request *req) > DEBUG(2,("smbd_smb2_request_process_write : " > "client ignored max write :%s: 0x%08X: 0x%08X\n", > __location__, in_data_length, req->sconn->smb2.max_write)); >-#if 0 > return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >-#endif > } > > in_data_buffer.data = (uint8_t *)req->in.vector[i+2].iov_base; >-- >1.7.4.1 > > >From 41ede61628cada2e41bc25dcb68414acde44f08d Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 12 Oct 2011 17:46:50 +0200 >Subject: [PATCH 6/6] s3:smb2_server: get/set info are limited by max_trans size > >metze >--- > source3/smbd/smb2_getinfo.c | 7 +++++++ > source3/smbd/smb2_setinfo.c | 4 ++++ > 2 files changed, 11 insertions(+), 0 deletions(-) > >diff --git a/source3/smbd/smb2_getinfo.c b/source3/smbd/smb2_getinfo.c >index 61e0cfa..c5d2d62 100644 >--- a/source3/smbd/smb2_getinfo.c >+++ b/source3/smbd/smb2_getinfo.c >@@ -90,6 +90,13 @@ NTSTATUS smbd_smb2_request_process_getinfo(struct smbd_smb2_request *req) > in_input_buffer.data = (uint8_t *)req->in.vector[i+2].iov_base; > in_input_buffer.length = in_input_buffer_length; > >+ if (in_input_buffer.length > req->sconn->smb2.max_trans) { >+ return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >+ } >+ if (in_output_buffer_length > req->sconn->smb2.max_trans) { >+ return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >+ } >+ > if (req->compat_chain_fsp) { > /* skip check */ > } else if (in_file_id_persistent != in_file_id_volatile) { >diff --git a/source3/smbd/smb2_setinfo.c b/source3/smbd/smb2_setinfo.c >index 2d39f11..751190a 100644 >--- a/source3/smbd/smb2_setinfo.c >+++ b/source3/smbd/smb2_setinfo.c >@@ -81,6 +81,10 @@ NTSTATUS smbd_smb2_request_process_setinfo(struct smbd_smb2_request *req) > in_input_buffer.data = (uint8_t *)req->in.vector[i+2].iov_base; > in_input_buffer.length = in_input_buffer_length; > >+ if (in_input_buffer.length > req->sconn->smb2.max_trans) { >+ return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); >+ } >+ > if (req->compat_chain_fsp) { > /* skip check */ > } else if (in_file_id_persistent != in_file_id_volatile) { >-- >1.7.4.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jra
:
review+
Actions:
View
Attachments on
bug 8473
:
6926
|
6992
|
6993
|
6994
|
6995