14443 – Out-by-4 error in smbd read reply max_send clamp

Bug 14443 - Out-by-4 error in smbd read reply max_send clamp

Summary: Out-by-4 error in smbd read reply max_send clamp

Status:	ASSIGNED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	4.13.0.rc1
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Jeremy Allison
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-07-19 12:59 UTC by Sprow
Modified:	2020-07-29 19:10 UTC (History)
CC List:	0 users

See Also:

Attachments
Patch to exclude NetBIOS header allowance (832 bytes, patch) 2020-07-19 12:59 UTC, Sprow	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sprow 2020-07-19 12:59:02 UTC

Created attachment 16134 [details]
Patch to exclude NetBIOS header allowance

There are checks on the request size in both reply_lockread_locked() and reply_read() which attempt to limit the amount read to the smaller of the request and the negotiated SMB1 session max_send value less headers.

However, the calculation uses smb_read (=39) which includes a 4 byte NetBIOS header, while the negotiated max_send value is independent of whether it's wrapped in NetBIOS or not.

This means that any client which does the calculation at their end gets replies which are 4 bytes too short.

Attached patch changes this to use MIN_SMB_SIZE (=35) instead.