Bug 11822 - source3/libsmb/clilist.c reads short name length as 2 bytes, instead of 1 byte plus reserved.
Summary: source3/libsmb/clilist.c reads short name length as 2 bytes, instead of 1 byt...
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: libsmbclient (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
: 11831 (view as bug list)
Depends on:
Blocks:
 
Reported: 2016-04-05 19:32 UTC by Jeremy Allison
Modified: 2016-07-18 18:14 UTC (History)
3 users (show)

See Also:


Attachments
wireshark trace showing non-null 'reserved' field. (10.31 KB, application/x-pcapng)
2016-04-05 19:32 UTC, Jeremy Allison
no flags Details
git-am fix for 4.4.next, 4.3.next. (1.21 KB, patch)
2016-04-07 17:40 UTC, Jeremy Allison
slow: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2016-04-05 19:32:15 UTC
Created attachment 11965 [details]
wireshark trace showing non-null 'reserved' field.

(In the attachment capture from a Windows 10 server).

Packet 21 is a FindFirst response.

In the list of files returned, look into
the "Downloaded Program Files" entry.

The short name length is 16 (0x10), followed by
a 0x1f in the 'Reserved' field.
Comment 1 Jeremy Allison 2016-04-05 19:33:58 UTC
From MS-CIFS

2.2.8.1.7

SMB_FIND_FILE_BOTH_DIRECTORY_INFO

SMB_FIND_FILE_BOTH_DIRECTORY_INFO[SearchCount]
{
ULONG NextEntryOffset;
ULONG FileIndex;
FILETIME CreationTime;
FILETIME LastAccessTime;
FILETIME LastWriteTime;
FILETIME LastChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
SMB_EXT_FILE_ATTR ExtFileAttributes;
ULONG FileNameLength;
ULONG EaSize;
UCHAR ShortNameLength;
UCHAR Reserved;
WCHAR ShortName[12];
SMB_STRING FileName;
}

clilist.c is reading ShortNameLength as an SVAL read instead of a CVAL read.

Patch to follow.
Comment 2 Jeremy Allison 2016-04-07 17:40:25 UTC
Created attachment 11971 [details]
git-am fix for 4.4.next, 4.3.next.

Cherry-pick from master.
Comment 3 Ralph Böhme 2016-04-07 18:28:32 UTC
Reassigning to Karolin for inclusion in 4.3 and 4.4.
Comment 4 Jeremy Allison 2016-04-12 20:34:24 UTC
*** Bug 11831 has been marked as a duplicate of this bug. ***
Comment 5 Karolin Seeger 2016-04-18 10:56:02 UTC
Pushed to autobuild-v4-[4|3]-test.
Comment 6 Karolin Seeger 2016-04-20 07:28:50 UTC
(In reply to Karolin Seeger from comment #5)
Pushed to both branches.
Closing out bug report.

Thanks!
Comment 7 Filipus Klutiero 2016-07-18 18:14:58 UTC
This was fixed in Samba 4.3.9 and 4.4.3.

A downstream ticket reports this in Debian's 4.2.10+dfsg-0, but this might be the result of backporting: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820794