Bug 2921 - NTTransCreate (in libcli/raw) is sent with bad parameters when in ASCII mode
NTTransCreate (in libcli/raw) is sent with bad parameters when in ASCII mode
Product: Samba 4.0
Classification: Unclassified
Component: Other
All Linux
: P3 normal
: ---
Assigned To: Andrew Bartlett
Andrew Bartlett
Depends on:
  Show dependency treegraph
Reported: 2005-07-26 11:46 UTC by Aaron Staley
Modified: 2006-03-10 09:14 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Aaron Staley 2005-07-26 11:46:00 UTC
Anyhow, in libcli/raw/rawfile.c - static struct smbcli_request
*smb_raw_nttrans_create_send(struct smbcli_tree *tree,
                             union smb_open *parms)

there are two particular lines:
nt.in.params = data_blob_talloc(mem_ctx, NULL, 54);
SCVAL(params, 53, 0);

According to the CIFS draft, NTTransCreate is defined as:

Request Parameter Block Encoding    Description
=================================== ================================

ULONG Flags;                        Creation flags (see below)
ULONG RootDirectoryFid;             Optional directory for relative
ACCESS_MASK DesiredAccess;          Desired access
LARGE_INTEGER AllocationSize;       The initial allocation size in
                                     bytes, if file created
ULONG ExtFileAttributes;            The extended file attributes
ULONG ShareAccess;                  The share access
ULONG CreateDisposition;            Action to take if file exists or
ULONG CreateOptions;                Options for creating a new file
ULONG SecurityDescriptorLength;     Length of SD in bytes
ULONG EaLength;                     Length of EA in bytes
ULONG NameLength;                   Length of name in characters
ULONG ImpersonationLevel;           Security QOS information
UCHAR SecurityFlags;                Security QOS information
STRING Name[NameLength];            The name of the file (not NULL

In other words, there should be no single character padding (that is on the 53rd
byte) between Security Flags and Name.

This padding indeed causes problems when in ASCII mode (that is if
SMBCLI_FORCE_ASCII is set in the environment).  The server (samba3 or windows
2000) will see the NULL byte as the first byte as Name and will simply return

Unfortunately, it appears that unicode strings are forced to be word aligned
internally (that is the smbcli_blob_append_string function and thus putstring)
and will not append starting at byte 53 (perhaps this limitation should be
removed?).  Either way, the simple solution to this problem appears to be:

change the first line to:
nt.in.params = data_blob_talloc(mem_ctx, NULL,
(tree->session->transport->negotiate.capabilities & CAP_UNICODE)?54:53);
and don't set the padding if CAP_UNICODE is not set in the capabilities
Comment 1 Stefan Metzmacher 2006-03-10 09:14:51 UTC
fixed in r14141, r14142, 14160