From 858879ee57f80bcb50734906c2b73d2c78793ba7 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 28 Oct 2013 15:43:03 +0100 Subject: [PATCH] libcli/smb: fix smb2cli_ioctl*() against Windows 2008. The subsections of [MS-SMB2] "3.2.5.14 Receiving an SMB2 IOCTL Response" say the client should ignore the InputOffset/InputCount. We do that only we ask for max_input_length = 0. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10232 Signed-off-by: Stefan Metzmacher --- libcli/smb/smb2cli_ioctl.c | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/libcli/smb/smb2cli_ioctl.c b/libcli/smb/smb2cli_ioctl.c index 8de7635..4b976ad 100644 --- a/libcli/smb/smb2cli_ioctl.c +++ b/libcli/smb/smb2cli_ioctl.c @@ -219,6 +219,20 @@ static void smb2cli_ioctl_done(struct tevent_req *subreq) return; } + ofs = input_buffer_length; + ofs = NDR_ROUND(ofs, 8); + + if (state->max_input_length == 0) { + /* + * If max_input_length is 0 we ignore + * the input_buffer_length, because + * Windows 2008 echos the DCERPC request + * from the requested input_buffer + * to the response input_buffer. + */ + input_buffer_length = 0; + } + if (input_buffer_length > state->max_input_length) { tevent_req_nterror( req, NT_STATUS_INVALID_NETWORK_RESPONSE); @@ -228,9 +242,6 @@ static void smb2cli_ioctl_done(struct tevent_req *subreq) state->out_input_buffer.data = dyn; state->out_input_buffer.length = input_buffer_length; - ofs = input_buffer_length; - ofs = NDR_ROUND(ofs, 8); - dyn_ofs += ofs; dyn += ofs; dyn_len -= ofs; @@ -249,6 +260,14 @@ static void smb2cli_ioctl_done(struct tevent_req *subreq) return; } + if (state->max_output_length == 0) { + /* + * We do the same logic as for + * max_input_length. + */ + output_buffer_length = 0; + } + if (output_buffer_length > state->max_output_length) { tevent_req_nterror( req, NT_STATUS_INVALID_NETWORK_RESPONSE); -- 1.7.9.5