From 71e8bf9f9f522c5f329c586b0303bfa1c5002a83 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Thu, 23 Aug 2012 09:45:53 -0700
Subject: [PATCH 1/2] Backport FSCTL codes from master

---
 source3/include/ntioctl.h |   80 ++++++++++++++++++++++++++++++++++++--------
 1 files changed, 65 insertions(+), 15 deletions(-)

diff --git a/source3/include/ntioctl.h b/source3/include/ntioctl.h
index 18707c5..925a06f 100644
--- a/source3/include/ntioctl.h
+++ b/source3/include/ntioctl.h
@@ -31,34 +31,84 @@
 /* Some of the following such as the encryption/compression ones would be                */
 /* invoked from tools via a specialized hook into the VFS rather than via the            */
 /* standard vfs entry points */
-#define FSCTL_REQUEST_OPLOCK_LEVEL_1 0x00090000
-#define FSCTL_REQUEST_OPLOCK_LEVEL_2 0x00090004
-#define FSCTL_REQUEST_BATCH_OPLOCK   0x00090008
 #define FSCTL_LOCK_VOLUME            0x00090018
 #define FSCTL_UNLOCK_VOLUME          0x0009001C
 #define FSCTL_GET_COMPRESSION        0x0009003C
 #define FSCTL_SET_COMPRESSION        0x0009C040
-#define FSCTL_IS_VOLUME_DIRTY	     0x00090078
 #define FSCTL_REQUEST_FILTER_OPLOCK  0x0009008C
-#define FSCTL_FIND_FILES_BY_SID	     0x0009008F
-#define FSCTL_FILESYS_GET_STATISTICS 0x00090090
-#define FSCTL_SET_OBJECT_ID          0x00090098
-#define FSCTL_GET_OBJECT_ID          0x0009009C
-#define FSCTL_SET_REPARSE_POINT      0x000900A4
-#define FSCTL_GET_REPARSE_POINT      0x000900A8
-#define FSCTL_DELETE_REPARSE_POINT   0x000900AC
-#define FSCTL_CREATE_OR_GET_OBJECT_ID 0x000900C0
-#define FSCTL_SET_SPARSE             0x000900C4
 #define FSCTL_SET_ZERO_DATA          0x000900C8
 #define FSCTL_SET_ENCRYPTION         0x000900D7
 #define FSCTL_ENCRYPTION_FSCTL_IO    0x000900DB
 #define FSCTL_WRITE_RAW_ENCRYPTED    0x000900DF
 #define FSCTL_READ_RAW_ENCRYPTED     0x000900E3
 #define FSCTL_SIS_COPYFILE           0x00090100
-#define FSCTL_QUERY_ALLOCATED_RANGES 0x000940CF
 #define FSCTL_SIS_LINK_FILES         0x0009C104
 
-#define FSCTL_GET_SHADOW_COPY_DATA   0x00144064   /* KJC -- Shadow Copy information */
+/* filesystem control codes */
+#define FSCTL_METHOD_BUFFERED	0x00000000
+#define FSCTL_METHOD_IN_DIRECT	0x00000001
+#define FSCTL_METHOD_OUT_DIRECT	0x00000002
+#define FSCTL_METHOD_NEITHER	0x00000003
+
+#define FSCTL_ACCESS_ANY	0x00000000
+#define FSCTL_ACCESS_READ	0x00004000
+#define FSCTL_ACCESS_WRITE	0x00008000
+
+#define FSCTL_DFS			0x00060000
+#define FSCTL_DFS_GET_REFERRALS		(FSCTL_DFS | FSCTL_ACCESS_ANY | 0x0194 | FSCTL_METHOD_BUFFERED)
+#define FSCTL_DFS_GET_REFERRALS_EX	(FSCTL_DFS | FSCTL_ACCESS_ANY | 0x01B0 | FSCTL_METHOD_BUFFERED)
+
+#define FSCTL_FILESYSTEM		0x00090000
+#define FSCTL_REQUEST_OPLOCK_LEVEL_1    (FSCTL_FILESYSTEM | FSCTL_ACCESS_ANY | 0x0000 | FSCTL_METHOD_BUFFERED)
+#define FSCTL_REQUEST_OPLOCK_LEVEL_2    (FSCTL_FILESYSTEM | FSCTL_ACCESS_ANY | 0x0004 | FSCTL_METHOD_BUFFERED)
+#define FSCTL_REQUEST_BATCH_OPLOCK      (FSCTL_FILESYSTEM | FSCTL_ACCESS_ANY | 0x0008 | FSCTL_METHOD_BUFFERED)
+#define FSCTL_OPLOCK_BREAK_ACKNOWLEDGE  (FSCTL_FILESYSTEM | FSCTL_ACCESS_ANY | 0x000C | FSCTL_METHOD_BUFFERED)
+#define FSCTL_OPBATCH_ACK_CLOSE_PENDING (FSCTL_FILESYSTEM | FSCTL_ACCESS_ANY | 0x0010 | FSCTL_METHOD_BUFFERED)
+#define FSCTL_OPLOCK_BREAK_NOTIFY       (FSCTL_FILESYSTEM | FSCTL_ACCESS_ANY | 0x0014 | FSCTL_METHOD_BUFFERED)
+#define FSCTL_FILESYS_GET_STATISTICS	(FSCTL_FILESYSTEM | FSCTL_ACCESS_ANY | 0x0060 | FSCTL_METHOD_BUFFERED)
+#define FSCTL_GET_NTFS_VOLUME_DATA	(FSCTL_FILESYSTEM | FSCTL_ACCESS_ANY | 0x0064 | FSCTL_METHOD_BUFFERED)
+#define FSCTL_IS_VOLUME_DIRTY		(FSCTL_FILESYSTEM | FSCTL_ACCESS_ANY | 0x0078 | FSCTL_METHOD_BUFFERED)
+#define FSCTL_FIND_FILES_BY_SID		(FSCTL_FILESYSTEM | FSCTL_ACCESS_ANY | 0x008C | FSCTL_METHOD_NEITHER)
+#define FSCTL_SET_OBJECT_ID		(FSCTL_FILESYSTEM | FSCTL_ACCESS_ANY | 0x0098 | FSCTL_METHOD_BUFFERED)
+#define FSCTL_GET_OBJECT_ID		(FSCTL_FILESYSTEM | FSCTL_ACCESS_ANY | 0x009C | FSCTL_METHOD_BUFFERED)
+#define FSCTL_DELETE_OBJECT_ID		(FSCTL_FILESYSTEM | FSCTL_ACCESS_ANY | 0x00A0 | FSCTL_METHOD_BUFFERED)
+#define FSCTL_SET_REPARSE_POINT		(FSCTL_FILESYSTEM | FSCTL_ACCESS_ANY | 0x00A4 | FSCTL_METHOD_BUFFERED)
+#define FSCTL_GET_REPARSE_POINT		(FSCTL_FILESYSTEM | FSCTL_ACCESS_ANY | 0x00A8 | FSCTL_METHOD_BUFFERED)
+#define FSCTL_DELETE_REPARSE_POINT	(FSCTL_FILESYSTEM | FSCTL_ACCESS_ANY | 0x00AC | FSCTL_METHOD_BUFFERED)
+#define FSCTL_CREATE_OR_GET_OBJECT_ID	(FSCTL_FILESYSTEM | FSCTL_ACCESS_ANY | 0x00C0 | FSCTL_METHOD_BUFFERED)
+#define FSCTL_SET_SPARSE		(FSCTL_FILESYSTEM | FSCTL_ACCESS_ANY | 0x00C4 | FSCTL_METHOD_BUFFERED)
+#define FSCTL_QUERY_ALLOCATED_RANGES	(FSCTL_FILESYSTEM | FSCTL_ACCESS_READ | 0x00CC | FSCTL_METHOD_NEITHER)
+#define FSCTL_FILE_LEVEL_TRIM		(FSCTL_FILESYSTEM | FSCTL_ACCESS_WRITE | 0x0208 | FSCTL_METHOD_BUFFERED)
+#define FSCTL_OFFLOAD_READ		(FSCTL_FILESYSTEM | FSCTL_ACCESS_READ | 0x0264 | FSCTL_METHOD_BUFFERED)
+#define FSCTL_OFFLOAD_WRITE		(FSCTL_FILESYSTEM | FSCTL_ACCESS_WRITE | 0x0268 | FSCTL_METHOD_BUFFERED)
+
+#define FSCTL_NAMED_PIPE		0x00110000
+#define FSCTL_PIPE_PEEK			(FSCTL_NAMED_PIPE | FSCTL_ACCESS_READ | 0x000C | FSCTL_METHOD_BUFFERED)
+#define FSCTL_NAMED_PIPE_READ_WRITE	(FSCTL_NAMED_PIPE | FSCTL_ACCESS_READ \
+							  | FSCTL_ACCESS_WRITE | 0x0014 | FSCTL_METHOD_NEITHER)
+#define FSCTL_PIPE_TRANSCEIVE		FSCTL_NAMED_PIPE_READ_WRITE	/* SMB2 function name */
+#define FSCTL_PIPE_WAIT			(FSCTL_NAMED_PIPE | FSCTL_ACCESS_ANY | 0x0018 | FSCTL_METHOD_BUFFERED)
+
+#define FSCTL_NETWORK_FILESYSTEM	0x00140000
+#define FSCTL_GET_SHADOW_COPY_DATA	(FSCTL_NETWORK_FILESYSTEM | FSCTL_ACCESS_READ | 0x0064 | FSCTL_METHOD_BUFFERED)
+#define FSCTL_SRV_ENUM_SNAPS		FSCTL_GET_SHADOW_COPY_DATA	/* SMB2 function name */
+#define FSCTL_SRV_REQUEST_RESUME_KEY	(FSCTL_NETWORK_FILESYSTEM | FSCTL_ACCESS_ANY | 0x0078 | FSCTL_METHOD_BUFFERED)
+#define FSCTL_SRV_COPYCHUNK		(FSCTL_NETWORK_FILESYSTEM | FSCTL_ACCESS_READ | 0x00F0 | FSCTL_METHOD_OUT_DIRECT)
+#define FSCTL_SRV_COPYCHUNK_WRITE	(FSCTL_NETWORK_FILESYSTEM | FSCTL_ACCESS_WRITE | 0x00F0 | FSCTL_METHOD_OUT_DIRECT)
+#define FSCTL_SRV_READ_HASH		(FSCTL_NETWORK_FILESYSTEM | FSCTL_ACCESS_READ| 0x01B8 | FSCTL_METHOD_NEITHER)
+#define FSCTL_LMR_REQ_RESILIENCY	(FSCTL_NETWORK_FILESYSTEM | FSCTL_ACCESS_ANY | 0x01D4 | FSCTL_METHOD_BUFFERED)
+#define FSCTL_LMR_SET_LINK_TRACKING_INFORMATION \
+	(FSCTL_NETWORK_FILESYSTEM | FSCTL_ACCESS_ANY | 0x00EC | FSCTL_METHOD_BUFFERED)
+#define FSCTL_QUERY_NETWORK_INTERFACE_INFO \
+	(FSCTL_NETWORK_FILESYSTEM | FSCTL_ACCESS_ANY | 0x01FC | FSCTL_METHOD_BUFFERED)
+
+/*
+ * FSCTL_VALIDATE_NEGOTIATE_INFO_224 was used used in
+ * Windows 8 server beta with SMB 2.24
+ */
+#define FSCTL_VALIDATE_NEGOTIATE_INFO_224 \
+	(FSCTL_NETWORK_FILESYSTEM | FSCTL_ACCESS_ANY | 0x0200 | FSCTL_METHOD_BUFFERED)
+#define FSCTL_VALIDATE_NEGOTIATE_INFO	(FSCTL_NETWORK_FILESYSTEM | FSCTL_ACCESS_ANY | 0x0204 | FSCTL_METHOD_BUFFERED)
 
 #if 0
 #define FSCTL_SECURITY_ID_CHECK
-- 
1.7.7.3


From 75c0f2cb62ea2ad05f46557e207d2c9f54d0cea7 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 23 Aug 2012 09:46:27 -0700
Subject: [PATCH 2/2] s3:smb2_ioctl: add some more validation checks

Based on a patch from Christian Ambach <ambi@samba.org>.

metze
---
 source3/smbd/smb2_ioctl.c |   27 +++++++++++++++++++++++----
 1 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/source3/smbd/smb2_ioctl.c b/source3/smbd/smb2_ioctl.c
index d545cd3..e869839 100644
--- a/source3/smbd/smb2_ioctl.c
+++ b/source3/smbd/smb2_ioctl.c
@@ -89,15 +89,34 @@ NTSTATUS smbd_smb2_request_process_ioctl(struct smbd_smb2_request *req)
 	in_input_buffer.data = (uint8_t *)req->in.vector[i+2].iov_base;
 	in_input_buffer.length = in_input_length;
 
-	if (in_file_id_persistent == UINT64_MAX &&
-		   in_file_id_volatile == UINT64_MAX) {
-		/* without a handle */
-	} else {
+	switch (in_ctl_code) {
+	case FSCTL_DFS_GET_REFERRALS:
+	case FSCTL_DFS_GET_REFERRALS_EX:
+	case FSCTL_PIPE_WAIT:
+	case FSCTL_VALIDATE_NEGOTIATE_INFO_224:
+	case FSCTL_VALIDATE_NEGOTIATE_INFO:
+	case FSCTL_QUERY_NETWORK_INTERFACE_INFO:
+		/*
+		 * Some SMB2 specific CtlCodes like FSCTL_DFS_GET_REFERRALS or
+		 * FSCTL_PIPE_WAIT does not take a file handle.
+		 *
+		 * If FileId in the SMB2 Header of the request is not
+		 * 0xFFFFFFFFFFFFFFFF, then the server MUST fail the request
+		 * with STATUS_INVALID_PARAMETER.
+		 */
+		if (in_file_id_persistent != UINT64_MAX ||
+		    in_file_id_volatile != UINT64_MAX) {
+			return smbd_smb2_request_error(req,
+				NT_STATUS_INVALID_PARAMETER);
+		}
+		break;
+	default:
 		in_fsp = file_fsp_smb2(req, in_file_id_persistent,
 					in_file_id_volatile);
 		if (in_fsp == NULL) {
 			return smbd_smb2_request_error(req, NT_STATUS_FILE_CLOSED);
 		}
+		break;
 	}
 
 	subreq = smbd_smb2_ioctl_send(req,
-- 
1.7.7.3