Bug 9706 - Parameter is incorrect on Android
Summary: Parameter is incorrect on Android
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.0.3
Hardware: All All
: P1 regression (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 9724
  Show dependency treegraph
 
Reported: 2013-03-09 12:04 UTC by cube00
Modified: 2013-03-21 10:54 UTC (History)
1 user (show)

See Also:


Attachments
Level 10 logs from smbd, nmbd and jcifs (72.20 KB, application/zip)
2013-03-11 12:08 UTC, cube00
no flags Details
git-am fix for master and 4.0.next (2.35 KB, patch)
2013-03-11 20:15 UTC, Jeremy Allison
no flags Details
Better git-am fix for master and 4.0.x (2.75 KB, patch)
2013-03-11 21:51 UTC, Jeremy Allison
no flags Details
git-am fix for 4.0.x and master (21.10 KB, patch)
2013-03-13 23:31 UTC, Jeremy Allison
no flags Details
git-am fix for 3.6.next. (1.82 KB, patch)
2013-03-14 00:22 UTC, Jeremy Allison
no flags Details
git-am fix for 4.0.x (22.44 KB, patch)
2013-03-15 22:00 UTC, Jeremy Allison
metze: review-
Details
git-am fix for master. (26.96 KB, patch)
2013-03-18 23:23 UTC, Jeremy Allison
no flags Details
git-am fix for master. (32.90 KB, patch)
2013-03-19 22:23 UTC, Jeremy Allison
no flags Details
Patches for master (34.43 KB, patch)
2013-03-20 16:49 UTC, Stefan Metzmacher
no flags Details
Additional patches for master (need discussion) (2.46 KB, patch)
2013-03-20 16:50 UTC, Stefan Metzmacher
no flags Details
Pathes for mater, preserving all the reviewed-by lines. (34.69 KB, patch)
2013-03-20 17:19 UTC, Jeremy Allison
no flags Details
git-am fix for 4.0.x. (34.69 KB, patch)
2013-03-20 19:39 UTC, Jeremy Allison
metze: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description cube00 2013-03-09 12:04:12 UTC
Tried both ES File Explorer and AndSMB, viewing folders works. When opening any file I get "Parameter is incorrect".

Level 3 logging in the log.jcifs file shows:

[2013/03/09 22:39:26.192657,  3] ../source3/smbd/process.c:1392(switch_message)
  switch message SMBntcreateX (pid 6276) conn 0x1c55bb0
[2013/03/09 22:39:26.192806,  3] ../source3/smbd/vfs.c:1118(check_reduced_name)
  check_reduced_name [source.cpp] [/home/cube]
[2013/03/09 22:39:26.192896,  3] ../source3/smbd/vfs.c:1248(check_reduced_name)
  check_reduced_name: source.cpp reduced to /home/cube/source.cpp
[2013/03/09 22:39:26.193411,  3] ../source3/smbd/dosmode.c:160(unix_mode)
  unix_mode(source.cpp) returning 0744
[2013/03/09 22:39:26.194300,  2] ../source3/smbd/open.c:914(open_file)
  cube opened file source.cpp read=Yes write=No (numopen=1)
[2013/03/09 22:39:26.238194,  3] ../source3/smbd/process.c:1789(process_smb)
  Transaction 10 of length 63 (0 toread)
[2013/03/09 22:39:26.238474,  3] ../source3/smbd/process.c:1392(switch_message)
  switch message SMBreadX (pid 6276) conn 0x1c55bb0
[2013/03/09 22:39:26.238595,  3] ../source3/smbd/error.c:82(error_packet_set)
  NT error packet at ../source3/smbd/reply.c(3943) cmd=46 (SMBreadX) NT_STATUS_INVALID_PARAMETER
Comment 2 Volker Lendecke 2013-03-11 06:14:48 UTC
Please upload a debug level 10 log of smbd for both cases
Comment 3 cube00 2013-03-11 12:08:02 UTC
Created attachment 8627 [details]
Level 10 logs from smbd, nmbd and jcifs
Comment 4 Volker Lendecke 2013-03-11 17:04:04 UTC
This looks very unusual. The Read&X calls get INVALID_PARAMETER, but there is nothing in advance to that. Need to take a closer look.
Comment 5 Christian Ambach 2013-03-11 17:13:41 UTC
Try disabling "large readwrite" in your smb.conf to see if this makes the problem go away.
Comment 6 Christian Ambach 2013-03-11 17:17:53 UTC
Or disable "unix extensions" in the config to see if this makes it go away.
Comment 7 Jeremy Allison 2013-03-11 18:51:23 UTC
The problem is the client is sending the upper_size of the read as 0xFFFF.

  smb_vwv[ 5]= 8192 (0x2000)
  smb_vwv[ 6]= 8192 (0x2000)
  smb_vwv[ 7]=65535 (0xFFFF)
  smb_vwv[ 8]=65535 (0xFFFF)

It almost certainly shouldn't do this and it only wants an 8k read. We decide if we should pay attention to the upper_size (smb_vwv[ 7]) using the following code.

        /* Samba client ? No problem. */
        if (get_remote_arch() == RA_SAMBA) {
                return true;
        }
        /* Need UNIX extensions. */
        if (!lp_unix_extensions()) {
                return false;
        }
        return true;

so Christian is correct that setting "unix extensions = false" should fix this.

Jeremy.
Comment 8 Jeremy Allison 2013-03-11 19:17:18 UTC
However, the client isn't setting CAP_LARGE_READX in the sessionsetup. A MacOSX client does do this.

So I think the check for supporting large reads should actually look something like this to cope with all the supported clients.

        /* Samba client ? No problem. */
        if (get_remote_arch() == RA_SAMBA) {
                return true;
        }
        /* Need UNIX extensions. */
        if (!lp_unix_extensions()) {
                return false;
        }
        /* Need CAP_LARGE_READXCAP_LARGE_READX */
        return (global_client_caps & CAP_LARGE_READX);

Also, here is a really interesting tech note from MS-SMB.pdf

in the SMB_READ_AND_X section:

MaxCountHigh (2 bytes): This field is a 16-bit integer. If the read being requested is larger than 0xFFFF bytes in size, then the client MUST use the MaxCountHigh field to hold the two most significant bytes of the requested size, which allows for 32-bit read lengths to be requested when combined with MaxCountOfBytesToReturn. If the read is not larger than 0xFFFF bytes, then the client MUST set the MaxCountHigh to zero.<26>

<26> Section 2.2.4.2.1: Windows-based servers support MaxCountHigh, but ignore it if set to 0xFFFF.

So the follow-up code should explicitly ignore MaxCountHigh = 0xFFFF to match Windows.

Patch to follow.

Jeremy.
Comment 9 Jeremy Allison 2013-03-11 20:15:56 UTC
Created attachment 8631 [details]
git-am fix for master and 4.0.next
Comment 10 Jeremy Allison 2013-03-11 21:51:25 UTC
Created attachment 8632 [details]
Better git-am fix for master and 4.0.x

I think this one is more correct in detecting and allowing large reads.

Jeremy.
Comment 11 Jeremy Allison 2013-03-11 23:43:13 UTC
Not talking to Android is a major issue :-). Re-classifying as such.
Jeremy.
Comment 12 Jeremy Allison 2013-03-12 01:25:05 UTC
Thinking about it the only thing I can think of that might make the patch cleaner is removal of the check of lp_unix_extensions(), and always just look at the upper bytes if the client sent us CAP_LARGE_READX.

This is the only thing we looked at in 3.6.x and we never had these problems with that release :-).

Other Comments/reviews very welcome.

Jeremy.
Comment 13 Jeremy Allison 2013-03-12 01:26:33 UTC
(Whilst still leaving in place the check to ignore the upper value if it's 0xffff of course).

Jeremy.
Comment 14 Jeremy Allison 2013-03-12 16:25:24 UTC
Thinking about it, not working with Android clients is a blocker for 4.0.next.

Jeremy.
Comment 15 Jeremy Allison 2013-03-13 23:31:11 UTC
Created attachment 8637 [details]
git-am fix for 4.0.x and master

Ok, here's the patchset I think is correct.

It includes a new test suite, LARGE_READX which tests around the boundaries of large readX calls with read requests of:

0xFFFF0001 (which should return 1 byte).
0x10000 (which should always return 0x10000)
0x1FFFF (which returns 0x1FFFF on Samba, and 0x10000 on Windows)
0x100000 (which returns 0x100000 on Samba, and 0x10000 on Windows).

Small fix for 3.6.x to follow.

Jeremy.
Comment 16 Jeremy Allison 2013-03-14 00:22:36 UTC
Created attachment 8638 [details]
git-am fix for 3.6.next.

Minimal version for 3.6.next.
Comment 17 Jeremy Allison 2013-03-15 21:29:57 UTC
Comment on attachment 8638 [details]
git-am fix for 3.6.next.

This is a more complex problem than we should fix for 3.6.next (IMHO). Leave sleeping dogs alone as it works in 3.6.x and fix correctly in 4.0.next.
Comment 18 Jeremy Allison 2013-03-15 22:00:30 UTC
Created attachment 8651 [details]
git-am fix for 4.0.x

Fix for master fix posted to mailing list. This is the 4.0.x version.

Implements the short read restrictions correctly I think.

Please review.

Jeremy.
Comment 19 Stefan Metzmacher 2013-03-16 09:49:52 UTC
Comment on attachment 8651 [details]
git-am fix for 4.0.x

I'll comment on the mailing list, why I think we need more work on this one.
Comment 20 Jeremy Allison 2013-03-16 16:26:28 UTC
I'm all ears... But I'm getting a bit tired of being pushed back on this. If you're going to make objections I'd like to see a trace where the current patch fails. Apologies if you have this.

Jeremy.
Comment 21 Jeremy Allison 2013-03-16 16:35:14 UTC
Actually if you're going to NAK the patch you need to comment here, so we don't lose the history on this.

So please add any comments to the bug about the patch review *before* doing a NAK next time please.

Jeremy.
Comment 22 Jeremy Allison 2013-03-18 20:43:38 UTC
Keeping the discussion within the bug so we can track it.

> From a490a85376da04f73f50e036a6d1d3a969ac0367 Mon Sep 17 00:00:00 2001
> From: Jeremy Allison <jra@samba.org>
> Date: Wed, 13 Mar 2013 14:56:06 -0700
> Subject: [PATCH 01/10] Ensure we send CAP_LARGE_READX/CAP_LARGE_WRITEX to the
>  server on SMB1 sessionsetupX.
>
> A Windows client doesn't do this, but that's because they never do large
> reads/writes over SMB1. It's in the spec that this should occur, and
> Samba 3.6.x uses it. Also, MacOSX, CIFSFS and Android (jCIFS) honour
> this setting and send it. We need to as well in order to give servers
> a better idea of our capabilities.

All tests have shown that it should make no difference if the client
send CAP_LARGE_READX or CAP_LARGE_WRITEX. Even if the client doesn't
send it, it's possible to do large reads and write.

If the client doesn't support large reads or write it would just doesn't
trigger them, there's really nothing more a client need to tell the server.

That's why we should should just skip this patch.

> From e40984781f28ff25a7f7aec0d00fbf6fdb7e5cbb Mon Sep 17 00:00:00 2001
> From: Jeremy Allison <jra@samba.org>
> Date: Wed, 13 Mar 2013 15:23:52 -0700
> Subject: [PATCH 02/10] smb1cli_inbuf_parse_chain() and
> smb1cli_conn_dispatch_incoming() should use smb_len_tcp.

> They have to cope with large READX call replies that have
> a length greater than smb_len_nbt() can handle.

This one is fine.

> From 8796fa108100942089b5d29a3a856e69e2993248 Mon Sep 17 00:00:00 2001
> From: Jeremy Allison <jra@samba.org>
> Date: Fri, 15 Mar 2013 11:53:04 -0700
> Subject: [PATCH 03/10] Remove server_will_accept_large_read() and erroneous
> comment.
>
> We're going to replace this with a function that calculates
> the max PDU to return on a read and supports short reads.

This also looks good.


> Subject: [PATCH 07/10] Add set_XX() functions for fields we need to modify for
>  testing large READX.

Instead of fixing the connection values, we should just remove the silly
restriction
in cli_read_andx_create() that check for cli_read_max_bufsize(),
the server should just return a short read if wanted.

> From 094b76bc108da4cd001022d16cf2558fab208ea8 Mon Sep 17 00:00:00 2001
> From: Jeremy Allison <jra@samba.org>
> Date: Fri, 15 Mar 2013 11:57:48 -0700
> Subject: [PATCH 04/10] Add functions calc_max_read_pdu()/calc_read_size() to
>  work out the length we should return.
>
> LARGE_READX test shows it's always safe to return a short read.
> Windows does so. Do the calculations to return what will fit
> in a read depending on what the client negotiated.
>
> Conservative, in that if no flags are negotiated then the
> max read is set to default Win2K12 max_pdu size of 0x10000 + headers.
>
> Signed-off-by: Jeremy Allison <jra@samba.org>

(smb_size -4 + 12*2) seems to be wrong, which my modified version
I trigger the 0xffffff smb_panic in create_outbuf().

calc_max_read_pdu() should only calculate the max_pdu size and not the
0x10000 windows limitation, and it should not depend on
smb1.unix_info.client_cap_low nor on global_client_caps.

For the encrypted case we should use the max_send size from the client
instead.
The same applies to chained requests, which means we should not return a
short read
instead of an error for chained requests.

> From 69c288d13e76c7196c8c58dd375b2e1d6345f5fc Mon Sep 17 00:00:00 2001
> From: Jeremy Allison <jra@samba.org>
> Date: Wed, 13 Mar 2013 15:43:21 -0700
> Subject: [PATCH 08/10] Add new LARGE_READX test to investigate large SMBreadX
> behavior.

calc_expected_return() should check for CIFS_UNIX_LARGE_READ_CAP instead of
any value in cli->server_posix_capabilities, we also need to
fill call cli_unix_extensions_version() if the server returns CAP_UNIX.

I've attached my current patches, but they're not complete
and fail make test. I'll try to fix this tomorrow.

Thanks for your patience!

metze
Comment 23 Jeremy Allison 2013-03-18 20:44:00 UTC
On Mon, Mar 18, 2013 at 08:38:01PM +0100, Stefan (metze) Metzmacher wrote:
>
> All tests have shown that it should make no difference if the client
> send CAP_LARGE_READX or CAP_LARGE_WRITEX. Even if the client doesn't
> send it, it's possible to do large reads and write.
>
> If the client doesn't support large reads or write it would just doesn't
> trigger them, there's really nothing more a client need to tell the server.
>
> That's why we should should just skip this patch.

That's true for Samba clients to Windows servers. It's not
true for Samba or MacOS clients to Samba servers 3.6.x or
lower. In the v3-6-test code reply_read_and_X() we have:

       if (global_client_caps & CAP_LARGE_READX) {
                size_t upper_size = SVAL(req->vwv+7, 0);

- that's the only place we look at the upper bytes in
a SMBReadX call. So yes, it does matter.

Both older Samba client libraries, MacOSX client, CIFSFS
clients and jCIFS clients all correctly send (or not) the
CAP_LARGE_READX bit on the sessionsetupX request from
the client.

You changed that in the initial 4.0.x client code release.
I think that was a mistake, and we need to put it back. It
doesn't affect how Windows servers behave (or after we fix
this code how Samba servers will behave), but it's the correct
thing to do to inform servers (what they do with that knowledge
is up to them).

I'll keep one email reply per issue, so it's easier
not to have to wade through enourmous email threads :-).

Jeremy.
Comment 24 Jeremy Allison 2013-03-18 21:46:05 UTC
On Mon, Mar 18, 2013 at 08:38:01PM +0100, Stefan (metze) Metzmacher wrote:
> 
> (smb_size -4 + 12*2) seems to be wrong, which my modified version
> I trigger the 0xffffff smb_panic in create_outbuf().

Hmmm. Is that smb_panic check in create_outbuf() correct ?

The 0xFFFFFF restriction is on the bytes following the
4 byte 'type+length' header. We have type = 0, 3 bytes
of big endian length of packet following. So the max
length of the following packet, NOT INCLUDING THE 4
BYTE type+length field is 0xFFFFFF.

smb_size is the 35 byte SMB headers field + the 4 byte 'type+length' header == 39,
so when calculating max read length I think it really should be
max_read_length = 0xFFFFFF - (smb_size - 4 + num_words*2),
Substituting numerical values:

0xFFFFFF - (39 - 4 + 24) which is 16777156 == 0xFFFFC4 bytes.

Looks to me like the code in create_outbuf() is off by
the 4 byte type+length field and really should be:

        /*
         * Protect against integer wrap
         */
        if ((num_bytes > 0xffffff)
            || ((num_bytes + smb_size -4 + num_words*2) > 0xffffff)) {

I'll try that with your patches and do some more tests.

> calc_max_read_pdu() should only calculate the max_pdu size and not the
> 0x10000 windows limitation, and it should not depend on
> smb1.unix_info.client_cap_low nor on global_client_caps.

Ok, that's fair enough. We don't really have to look at
CAP_LARGE_READX on the server if we're using max_pdu.

> For the encrypted case we should use the max_send size from the client
> instead.
> The same applies to chained requests, which means we should not return a
> short read
> instead of an error for chained requests.

Good point - +1 on both of these changes.

> > From 69c288d13e76c7196c8c58dd375b2e1d6345f5fc Mon Sep 17 00:00:00 2001
> > From: Jeremy Allison <jra@samba.org>
> > Date: Wed, 13 Mar 2013 15:43:21 -0700
> > Subject: [PATCH 08/10] Add new LARGE_READX test to investigate large SMBreadX
> > behavior.
> 
> calc_expected_return() should check for CIFS_UNIX_LARGE_READ_CAP instead of
> any value in cli->server_posix_capabilities, we also need to
> fill call cli_unix_extensions_version() if the server returns CAP_UNIX.

That code is only checking for 'any value in cli->server_posix_capabilities'
due to the capabilities manipulation which removes the CIFS_UNIX_LARGE_READ_CAP
in server_posix_capabilitiesI added earlier to get around the
restrictions in cli_read_max_bufsize() that are triggered by the
cli->server_posix_capabilities & CIFS_UNIX_LARGE_READ_CAP check inside
that function.

Now you're proposed removing cli_read_max_bufsize() then I can
correctly check for cli->server_posix_capabilities & CIFS_UNIX_LARGE_READ_CAP
as I originally intended :-).

> I've attached my current patches, but they're not complete
> and fail make test. I'll try to fix this tomorrow.

I'll also update your patches and re-run tests.

Jeremy.
Comment 25 Jeremy Allison 2013-03-18 23:23:55 UTC
Created attachment 8659 [details]
git-am fix for master.

Updated, based on Metze's modifications. Adding here so we don't lose intermediate steps.

Jeremy.
Comment 26 Jeremy Allison 2013-03-19 22:23:59 UTC
Created attachment 8663 [details]
git-am fix for master.

Metze's latest patchset, with appropriate 'Reviewed-by' tags added.

Passes make test for me.

Jeremy.
Comment 27 Stefan Metzmacher 2013-03-19 23:49:41 UTC
(In reply to comment #26)
> Created attachment 8663 [details]
> git-am fix for master.
> 
> Metze's latest patchset, with appropriate 'Reviewed-by' tags added.
> 
> Passes make test for me.

Maybe the raw.read fix was enough, I didn't had time to run a test with it...
Comment 28 Jeremy Allison 2013-03-20 16:21:54 UTC
Well I'm not getting any problem now, so I'm happy to push if you give this a + on the review.

I'll upload the same version modified for 4.0.x so we can get this into 4.0.next once you're ok with the master version.

Jeremy.
Comment 29 Stefan Metzmacher 2013-03-20 16:49:53 UTC
Created attachment 8664 [details]
Patches for master

This passes autobuild for me, but I'd like to propose some additional patches on top later.
Comment 30 Stefan Metzmacher 2013-03-20 16:50:35 UTC
Created attachment 8665 [details]
Additional patches for master (need discussion)
Comment 31 Jeremy Allison 2013-03-20 16:55:13 UTC
Comment on attachment 8664 [details]
Patches for master

Sigh. You lost the additional "Reviwed-by" tags I added which I'll have to go back and re-add before pushing. That's a bit of a waste of my time, so I wish you'd just worked on top of the last version I posted.

Secondly. without me having to go through an re-diff all the different versions, can you tell me what is the difference between this version and the last version I uploaded please ?

Jeremy.
Comment 32 Jeremy Allison 2013-03-20 17:02:52 UTC
Comment on attachment 8664 [details]
Patches for master

Never mind. I just did the diff. Essentially the only differences are the changes in the source4/torture/raw/read.c code to add the samba3/samba4 checks. All other parts of the patch are identical (except for the Reviewed-by's). I'll re-merge the source4/torture/raw/read.c changes, add the additional Reviewed-by's and push.

Jeremy.
Comment 33 Jeremy Allison 2013-03-20 17:19:49 UTC
Created attachment 8666 [details]
Pathes for mater, preserving all the reviewed-by lines.

Planning to push to autobuild once it passes make test here.
Jeremy.
Comment 34 Jeremy Allison 2013-03-20 18:18:03 UTC
Comment on attachment 8665 [details]
Additional patches for master (need discussion)

Ok, I'm not fond of these changes. I don't think we should restrict ourselves to Windows-size replies.

There are existing clients out there that use our large read ability to reduce latency on slow links. It's an advantage of our implementation I don't think we should attach to the unix extensions.

Jeremy
Comment 35 Jeremy Allison 2013-03-20 19:39:50 UTC
Created attachment 8667 [details]
git-am fix for 4.0.x.

Version of the patch I've pushed to autobuild for master, back-ported to 4.0.next (only change is samba_tevent_context_init() -> tevent_context_init) in the LARGE_READX change.

Jeremy.
Comment 36 Stefan Metzmacher 2013-03-21 08:06:56 UTC
Comment on attachment 8667 [details]
git-am fix for 4.0.x.

Looks good
Comment 37 Stefan Metzmacher 2013-03-21 08:12:19 UTC
(In reply to comment #34)
> Comment on attachment 8665 [details]
> Additional patches for master (need discussion)
> 
> Ok, I'm not fond of these changes. I don't think we should restrict ourselves
> to Windows-size replies.
> 
> There are existing clients out there that use our large read ability to reduce
> latency on slow links. It's an advantage of our implementation I don't think we
> should attach to the unix extensions.

As far as I know all this existing clients are unix clients.

I mean unix extensions are on by default and if someone wants to
disable them, we should really behave like a windows server.
That makes it much easier to compare captures, if there're problems...

metze
Comment 38 Stefan Metzmacher 2013-03-21 08:13:44 UTC
Karolin, please pick the fix for 4.0.x
Comment 39 Karolin Seeger 2013-03-21 08:48:06 UTC
Pushed to autobuild-v4-0-test.
Comment 40 Karolin Seeger 2013-03-21 10:54:13 UTC
Pushed to v4-0-test.
Closing out bug report.

Thanks!