Using Samba 3.0.24-6 on debian, I noticed that smbd appeared to return a malformed response to a client read request when an I/O error occurred on the server-side read(). From the smbd log: [2007/04/07 05:40:15, 3] smbd/error.c:unix_error_packet(90) unix_error_packet: error string = Input/output error [2007/04/07 05:40:15, 3] smbd/error.c:error_packet(146) error packet at smbd/reply.c(2638) cmd=46 (SMBreadX) NT_STATUS_IO_DEVICE_ERROR From a 2.6.20 cifs client: Apr 6 22:26:12 kjamieson64 kernel: fs/cifs/connect.c: rfc1002 length 0x27) Apr 6 22:26:12 kjamieson64 kernel: fs/cifs/misc.c: Calculated size 294 vs length 39 mismatch for mid 2481 Apr 6 22:26:12 kjamieson64 kernel: Bad SMB: : dump of 48 bytes of data at 0xffff810005166400 Apr 6 22:26:12 kjamieson64 kernel: 00000023 424d53ff 0001852e c00180c0 # . . . ? S M B . . . . ? . . ? Apr 6 22:26:12 kjamieson64 kernel: 00000000 00000000 00000000 0ff80001 . . . . . . . . . . . . . . ? . Apr 6 22:26:12 kjamieson64 kernel: 09b10064 0000ff00 1a9d0100 00000001 d . ? . . ? . . . . . . . . . . From a 2.6.20 smbfs client: Apr 6 22:47:09 kjamieson64 kernel: smb_proc_readX_data: offset is larger than SMB_READX_MAX_PAD or negative! Apr 6 22:47:09 kjamieson64 kernel: smb_proc_readX_data: -35 > 64 || -35 < 0 ethereal dump of the offending packet: NetBIOS Session Service Message Type: Session message Length: 35 SMB (Server Message Block Protocol) SMB Header Server Component: SMB Response to: 17 Time from request: 0.037665000 seconds SMB Command: Read AndX (0x2e) NT Status: STATUS_IO_DEVICE_ERROR (0xc0000185) Flags: 0x80 1... .... = Request/Response: Message is a response to the client/redirector .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized .... 0... = Case Sensitivity: Path names are case sensitive .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xc001 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 0... .... .... = Extended Security Negotiation: Extended security negotiation is not supported .... .... .0.. .... = Long Names Used: Path names in request are not long file names .... .... .... .0.. = Security Signatures: Security signatures are not supported .... .... .... ..0. = Extended Attributes: Extended attributes are not supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Process ID High: 0 Signature: 0000000000000000 Reserved: 0000 Tree ID: 1 Process ID: 4558 User ID: 100 Multiplex ID: 2798 Read AndX Response (0x2e) Word Count (WCT): 0 Byte Count (BCC): 255 [Malformed Packet: SMB] 0000 00 02 b3 bd 3b f3 00 14 38 7a d6 40 08 00 45 00 ....;...8z.@..E. 0010 00 5b 18 89 40 00 3f 06 b0 b1 c0 a8 82 49 c0 a8 .[..@.?......I.. 0020 6e c8 01 bd 90 4c b8 00 71 f6 9c 73 96 b2 80 18 n....L..q..s.... 0030 09 d8 30 20 00 00 01 01 08 0a 08 22 7a 19 69 48 ..0 ......."z.iH 0040 8e ed 00 00 00 23 ff 53 4d 42 2e 85 01 00 c0 80 .....#.SMB...... 0050 01 c0 00 00 00 00 00 00 00 00 00 00 00 00 01 00 ................ 0060 ce 11 64 00 ee 0a 00 ff 00 ..d...... It looks like the problem is in reply_read_and_X() whenever send_file_readX() returns an error packet. A simple (possibly not correct) workaround seems to be: --- samba-3.0.24/source/smbd/reply.c.bak 2007-04-07 00:41:33.000000000 -0700 +++ samba-3.0.24/source/smbd/reply.c 2007-04-07 00:52:29.000000000 -0700 @@ -2728,7 +2728,7 @@ } nread = send_file_readX(conn, inbuf, outbuf, length, bufsize, fsp, startpos, smb_maxcnt); - if (nread != -1) + if (nread > smb_size) nread = chain_reply(inbuf,outbuf,length,bufsize); END_PROFILE(SMBreadX);
Jeremy, Can you confirm this?
Can you get me the binary trace of this. The text dump is no good. Is this repeatable by you ? The NT status being returned is correct, it's the byte count that looks wrong. Jeremy.
Created attachment 2361 [details] Patch Found it - we shouldn't be calling chain_reply if it's an error packet. Will be fixed for 3.0.25 final. Jeremy.
Fixed in the SAMBA_3_0_25 tree (for rc2 or possibly 3.0.25-final).