Bug 14443 - Out-by-4 error in smbd read reply max_send clamp
Summary: Out-by-4 error in smbd read reply max_send clamp
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.13.0.rc1
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
Depends on:
Reported: 2020-07-19 12:59 UTC by Sprow
Modified: 2020-07-29 19:10 UTC (History)
0 users

See Also:

Patch to exclude NetBIOS header allowance (832 bytes, patch)
2020-07-19 12:59 UTC, Sprow
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sprow 2020-07-19 12:59:02 UTC
Created attachment 16134 [details]
Patch to exclude NetBIOS header allowance

There are checks on the request size in both reply_lockread_locked() and reply_read() which attempt to limit the amount read to the smaller of the request and the negotiated SMB1 session max_send value less headers.

However, the calculation uses smb_read (=39) which includes a 4 byte NetBIOS header, while the negotiated max_send value is independent of whether it's wrapped in NetBIOS or not.

This means that any client which does the calculation at their end gets replies which are 4 bytes too short.

Attached patch changes this to use MIN_SMB_SIZE (=35) instead.