Reported by Volker with a patch. From a5c7f0997e53ae300511b9aec549f07b34280d3b Mon Sep 17 00:00:00 2001 From: Volker Lendecke <vl@samba.org> Date: Wed, 27 Apr 2016 12:15:37 +0200 Subject: [PATCH] smbd: Avoid large reads beyond EOF With unix extensions and oplocks=no mount.cifs from jessie reads beyond the file end forever, and we are happy to return zeros.... Signed-off-by: Volker Lendecke <vl@samba.org> --- source3/smbd/reply.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index cbe15a3..e0e55c6 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -4100,6 +4100,16 @@ normal_read: uint8_t headerbuf[smb_size + 2*12 + 1 /* padding byte */]; ssize_t ret; + if (!S_ISREG(fsp->fsp_name->st.st_ex_mode) || + (startpos > fsp->fsp_name->st.st_ex_size) || + (smb_maxcnt > (fsp->fsp_name->st.st_ex_size - startpos))) { + /* + * We already know that we would do a short + * read, so don't try the sendfile() path. + */ + goto nosendfile_read; + } + construct_reply_common_req(req, (char *)headerbuf); setup_readX_header(req, (char *)headerbuf, smb_maxcnt); Cherry-picked patch to follow once pushed to master.
Created attachment 12033 [details] git-am fix for 4.4.next, 4.3.next. Cherry-pick from fix that went into master.
(In reply to Jeremy Allison from comment #1) Pushed to autobuild-v4-[4|3]-test
(In reply to Karolin Seeger from comment #2) Pushed to both branches. Closing out bug report. Thanks!