From 106f4ce6bdb515b6f10b49913dd490f8f9c0295a Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 26 Mar 2013 16:50:13 -0700 Subject: [PATCH 1/4] Modify fill_ea_chained_buffer() to be able to do size calculation only, no marshalling. Signed-off-by: Jeremy Allison --- source3/smbd/trans2.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index 7cbf5c5..78421c0 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -411,6 +411,7 @@ static NTSTATUS fill_ea_chained_buffer(TALLOC_CTX *mem_ctx, { uint8_t *p = (uint8_t *)pdata; uint8_t *last_start = NULL; + bool store_data = (pdata != NULL); *ret_data_size = 0; @@ -423,7 +424,7 @@ static NTSTATUS fill_ea_chained_buffer(TALLOC_CTX *mem_ctx, fstring dos_ea_name; size_t this_size; - if (last_start) { + if (last_start && store_data) { SIVAL(last_start, 0, PTR_DIFF(p, last_start)); } last_start = p; @@ -449,12 +450,14 @@ static NTSTATUS fill_ea_chained_buffer(TALLOC_CTX *mem_ctx, } /* We know we have room. */ - SIVAL(p, 0x00, 0); /* next offset */ - SCVAL(p, 0x04, ea_list->ea.flags); - SCVAL(p, 0x05, dos_namelen); - SSVAL(p, 0x06, ea_list->ea.value.length); - fstrcpy((char *)(p+0x08), dos_ea_name); - memcpy(p + 0x08 + dos_namelen + 1, ea_list->ea.value.data, ea_list->ea.value.length); + if (store_data) { + SIVAL(p, 0x00, 0); /* next offset */ + SCVAL(p, 0x04, ea_list->ea.flags); + SCVAL(p, 0x05, dos_namelen); + SSVAL(p, 0x06, ea_list->ea.value.length); + fstrcpy((char *)(p+0x08), dos_ea_name); + memcpy(p + 0x08 + dos_namelen + 1, ea_list->ea.value.data, ea_list->ea.value.length); + } total_data_size -= this_size; p += this_size; -- 1.8.1.3 From e06fda1fbe452c275679bd109993f0c06e2d8674 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 26 Mar 2013 16:53:45 -0700 Subject: [PATCH 2/4] Change estimate_ea_size() to correctly estimate the EA size over SMB2. Signed-off-by: Jeremy Allison --- source3/smbd/trans2.c | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index 78421c0..18ac8bb 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -471,13 +471,38 @@ static NTSTATUS fill_ea_chained_buffer(TALLOC_CTX *mem_ctx, static unsigned int estimate_ea_size(connection_struct *conn, files_struct *fsp, const char *fname) { size_t total_ea_len = 0; + struct ea_list *ea_list = NULL; TALLOC_CTX *mem_ctx = NULL; if (!lp_ea_support(SNUM(conn))) { return 0; } mem_ctx = talloc_tos(); - (void)get_ea_list_from_file(mem_ctx, conn, fsp, fname, &total_ea_len); + ea_list = get_ea_list_from_file(mem_ctx, conn, fsp, fname, &total_ea_len); + if (ea_list == NULL) { + return 0; + } + if(conn->sconn->using_smb2) { + NTSTATUS status; + unsigned int ret_data_size; + /* + * We're going to be using fill_ea_chained_buffer() to + * marshall EA's - this size is significantly larger + * than the SMB1 buffer. Re-calculate the size without + * marshalling. + */ + status = fill_ea_chained_buffer(mem_ctx, + NULL, + 65535, + &ret_data_size, + conn, + ea_list); + if (!NT_STATUS_IS_OK(status)) { + ret_data_size = 0; + } + total_ea_len = ret_data_size; + } + return total_ea_len; } -- 1.8.1.3 From 63d8eed301f437df4fa222ae83ea2a1ca1a5fb51 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 26 Mar 2013 16:55:03 -0700 Subject: [PATCH 3/4] Fix bug #9130 - Certain xattrs cause Windows error 0x800700FF Ensure we never return any zero-length EA's. Signed-off-by: Jeremy Allison --- source3/smbd/trans2.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index 18ac8bb..beb0687 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -328,6 +328,15 @@ static struct ea_list *get_ea_list_from_file(TALLOC_CTX *mem_ctx, connection_str return NULL; } + if (listp->ea.value.length == 0) { + /* + * We can never return a zero length EA. + * Windows reports the EA's as corrupted. + */ + TALLOC_FREE(listp); + continue; + } + push_ascii_fstring(dos_ea_name, listp->ea.name); *pea_total_len += -- 1.8.1.3 From 131d26037ff4881690f47a893491804632a7c8d3 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 26 Mar 2013 17:07:55 -0700 Subject: [PATCH 4/4] Ensure we don't return uninitialized memory in the pad bytes. Signed-off-by: Jeremy Allison --- source3/smbd/trans2.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index beb0687..893ff39 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -432,6 +432,7 @@ static NTSTATUS fill_ea_chained_buffer(TALLOC_CTX *mem_ctx, size_t dos_namelen; fstring dos_ea_name; size_t this_size; + size_t pad = 0; if (last_start && store_data) { SIVAL(last_start, 0, PTR_DIFF(p, last_start)); @@ -450,7 +451,7 @@ static NTSTATUS fill_ea_chained_buffer(TALLOC_CTX *mem_ctx, this_size = 0x08 + dos_namelen + 1 + ea_list->ea.value.length; if (ea_list->next) { - size_t pad = 4 - (this_size % 4); + pad = 4 - (this_size % 4); this_size += pad; } @@ -466,6 +467,11 @@ static NTSTATUS fill_ea_chained_buffer(TALLOC_CTX *mem_ctx, SSVAL(p, 0x06, ea_list->ea.value.length); fstrcpy((char *)(p+0x08), dos_ea_name); memcpy(p + 0x08 + dos_namelen + 1, ea_list->ea.value.data, ea_list->ea.value.length); + if (pad) { + memset(p + 0x08 + dos_namelen + 1 + ea_list->ea.value.length, + '\0', + pad); + } } total_data_size -= this_size; -- 1.8.1.3