Bug 4494 - reply_read_and_X returns malformed reply on read error
reply_read_and_X returns malformed reply on read error
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: File Services
3.0.24
x86 Linux
: P3 normal
: 3.0.25
Assigned To: Jeremy Allison
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-07 03:21 UTC by Kevin Jamieson
Modified: 2007-04-10 10:11 UTC (History)
0 users

See Also:


Attachments
Patch (966 bytes, patch)
2007-04-09 15:55 UTC, Jeremy Allison
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Kevin Jamieson 2007-04-07 03:21:44 UTC
Using Samba 3.0.24-6 on debian, I noticed that smbd appeared to return a malformed response to a client read request when an I/O error occurred on the server-side read().

From the smbd log:

[2007/04/07 05:40:15, 3] smbd/error.c:unix_error_packet(90)
  unix_error_packet: error string = Input/output error
[2007/04/07 05:40:15, 3] smbd/error.c:error_packet(146)
  error packet at smbd/reply.c(2638) cmd=46 (SMBreadX) NT_STATUS_IO_DEVICE_ERROR

From a 2.6.20 cifs client:

Apr  6 22:26:12 kjamieson64 kernel:  fs/cifs/connect.c: rfc1002 length 0x27)
Apr  6 22:26:12 kjamieson64 kernel:  fs/cifs/misc.c: Calculated size 294 vs length 39 mismatch for mid 2481
Apr  6 22:26:12 kjamieson64 kernel: Bad SMB: : dump of 48 bytes of data at 0xffff810005166400
Apr  6 22:26:12 kjamieson64 kernel:  00000023 424d53ff 0001852e c00180c0 # . . . ? S M B . . . . ? . . ?
Apr  6 22:26:12 kjamieson64 kernel:  00000000 00000000 00000000 0ff80001 . . . . . . . . . . . . . . ? .
Apr  6 22:26:12 kjamieson64 kernel:  09b10064 0000ff00 1a9d0100 00000001 d . ? . . ? . . . . . . . . . .

From a 2.6.20 smbfs client:

Apr  6 22:47:09 kjamieson64 kernel: smb_proc_readX_data: offset is larger than SMB_READX_MAX_PAD or negative!
Apr  6 22:47:09 kjamieson64 kernel: smb_proc_readX_data: -35 > 64 || -35 < 0


ethereal dump of the offending packet:

NetBIOS Session Service
    Message Type: Session message
    Length: 35
SMB (Server Message Block Protocol)
    SMB Header
        Server Component: SMB
        Response to: 17
        Time from request: 0.037665000 seconds
        SMB Command: Read AndX (0x2e)
        NT Status: STATUS_IO_DEVICE_ERROR (0xc0000185)
        Flags: 0x80
            1... .... = Request/Response: Message is a response to the client/redirector
            .0.. .... = Notify: Notify client only on open
            ..0. .... = Oplocks: OpLock not requested/granted
            ...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized
            .... 0... = Case Sensitivity: Path names are case sensitive
            .... ..0. = Receive Buffer Posted: Receive buffer has not been posted
            .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
        Flags2: 0xc001
            1... .... .... .... = Unicode Strings: Strings are Unicode
            .1.. .... .... .... = Error Code Type: Error codes are NT error codes
            ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
            ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
            .... 0... .... .... = Extended Security Negotiation: Extended security negotiation is not supported
            .... .... .0.. .... = Long Names Used: Path names in request are not long file names
            .... .... .... .0.. = Security Signatures: Security signatures are not supported
            .... .... .... ..0. = Extended Attributes: Extended attributes are not supported
            .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response
        Process ID High: 0
        Signature: 0000000000000000
        Reserved: 0000
        Tree ID: 1
        Process ID: 4558
        User ID: 100
        Multiplex ID: 2798
    Read AndX Response (0x2e)
        Word Count (WCT): 0
        Byte Count (BCC): 255
[Malformed Packet: SMB]


0000  00 02 b3 bd 3b f3 00 14 38 7a d6 40 08 00 45 00   ....;...8z.@..E.
0010  00 5b 18 89 40 00 3f 06 b0 b1 c0 a8 82 49 c0 a8   .[..@.?......I..
0020  6e c8 01 bd 90 4c b8 00 71 f6 9c 73 96 b2 80 18   n....L..q..s....
0030  09 d8 30 20 00 00 01 01 08 0a 08 22 7a 19 69 48   ..0 ......."z.iH
0040  8e ed 00 00 00 23 ff 53 4d 42 2e 85 01 00 c0 80   .....#.SMB......
0050  01 c0 00 00 00 00 00 00 00 00 00 00 00 00 01 00   ................
0060  ce 11 64 00 ee 0a 00 ff 00                        ..d......



It looks like the problem is in reply_read_and_X() whenever send_file_readX() returns an error packet.


A simple (possibly not correct) workaround seems to be:

--- samba-3.0.24/source/smbd/reply.c.bak        2007-04-07 00:41:33.000000000 -0700
+++ samba-3.0.24/source/smbd/reply.c    2007-04-07 00:52:29.000000000 -0700
@@ -2728,7 +2728,7 @@
        }
 
        nread = send_file_readX(conn, inbuf, outbuf, length, bufsize, fsp, startpos, smb_maxcnt);
-       if (nread != -1)
+       if (nread > smb_size)
                nread = chain_reply(inbuf,outbuf,length,bufsize);
 
        END_PROFILE(SMBreadX);
Comment 1 Gerald (Jerry) Carter 2007-04-07 08:06:37 UTC
Jeremy, Can you confirm this?
Comment 2 Jeremy Allison 2007-04-09 15:43:39 UTC
Can you get me the binary trace of this. The text dump is no good. Is this repeatable by you ? The NT status being returned is correct, it's the byte count that looks wrong.
Jeremy.
Comment 3 Jeremy Allison 2007-04-09 15:55:19 UTC
Created attachment 2361 [details]
Patch

Found it - we shouldn't be calling chain_reply if it's an error packet.
Will be fixed for 3.0.25 final.
Jeremy.
Comment 4 Gerald (Jerry) Carter 2007-04-10 10:11:32 UTC
Fixed in the SAMBA_3_0_25 tree (for rc2 or possibly 3.0.25-final).