The smbd crashes in source3/smbd/ipc.c:void send_trans_reply() when the max xmit is greater than 64kb.
Isn't this a duplicate of bug: https://bugzilla.samba.org/show_bug.cgi?id=10415 which Volker has already fixed ? Or am I confused :-). Jeremy.
(In reply to comment #1) > Isn't this a duplicate of bug: > > https://bugzilla.samba.org/show_bug.cgi?id=10415 > > which Volker has already fixed ? Or am I confused :-). > > Jeremy. The crash Björn talks about is an explicit panic, not a memory corruption.
Created attachment 9673 [details] Completely untested patches Jeremy, here's my work in progress, but we need to test the behavior of Windows when it gets a 0 MaxBuffer in the first SessionSetup.
Created attachment 9690 [details] Patches for master
Created attachment 9691 [details] Hacks to reproduce the session setup error
Let me grub through the CIFSFS code first to see if this is going to break large transfers with the Linux client... Jeremy.
Comment on attachment 9690 [details] Patches for master Still needs work. The BUFFER_SIZE macro is still used in : source3/client/client.c: while (i < (n - 1) && (i < BUFFER_SIZE)) { source3/param/loadparm.c: return MIN(Globals.iminreceivefile, BUFFER_SIZE); source3/torture/torture.c: NULL, 0, BUFFER_SIZE, source3/utils/smbfilter.c:static char packet[BUFFER_SIZE]; plus I think you're missing the addition of smb1.sessions.max_recv in the globals.h smb1 struct. Do you want me to fix these and re-submit, or will you do it ? Jeremy.
Created attachment 9698 [details] Current patchset for master (fails samba3.raw.read(s3dc)) Hi Jeremy, here's my current work..., if you want go from there...
Created attachment 9792 [details] Patches for v4-1-test
Created attachment 9793 [details] Patch for v4-0-test
Re-assigning to Karolin for inclusion in 4.0.next, 4.1.next. Jeremy.
(In reply to comment #11) > Re-assigning to Karolin for inclusion in 4.0.next, 4.1.next. > Jeremy. Pushed to autobuild-v4-1-test and autobuild-v4-0-test.
Pushed to v4-1-test and v4-0-test. Closing out bug report. Thanks!
*** Bug 10546 has been marked as a duplicate of this bug. ***
Would it better to update the document which still says 64K worth of data, while LARGE_WRITEX_BUFFER_SIZE is (128*1024)? /* * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes * of header. Don't print the error if this fits.... JRA. */ if (len > (LARGE_WRITEX_BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) { DEBUG(0,("Invalid packet length! (%lu bytes).\n", (unsigned long)len)); return false; }