From 88d66fe8d2b81a72cedd0a1bc7b26deb588b0672 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 7 Nov 2019 09:06:52 -0800 Subject: [PATCH 1/4] s3: smbd: smb2 cleanup - fix debug message in smbd_smb2_request_pending_timer(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=14189 Signed-off-by: Jeremy Allison --- source3/smbd/smb2_server.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index 130fe5048c0..c1530e17751 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -1627,10 +1627,10 @@ static void smbd_smb2_request_pending_timer(struct tevent_context *ev, SIVAL(outhdr, SMB2_HDR_FLAGS, flags | SMB2_HDR_FLAG_ASYNC); SBVAL(outhdr, SMB2_HDR_ASYNC_ID, async_id); - DEBUG(10,("smbd_smb2_request_pending_queue: opcode[%s] mid %llu " + DBG_DEBUG("opcode[%s] mid %llu " "going async\n", smb2_opcode_name(SVAL(inhdr, SMB2_HDR_OPCODE)), - (unsigned long long)async_id )); + (unsigned long long)async_id ); /* * What we send is identical to a smbd_smb2_request_error -- 2.24.0.rc1.363.gb1bccd3e3d-goog From 87e5bf233f65de91580ff458b072304031fbd9bc Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 7 Nov 2019 09:13:12 -0800 Subject: [PATCH 2/4] s3: smbd: smb2 cleanup - remove variable tf_len - this is a constant SMB2_TF_HDR_SIZE. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14189 Signed-off-by: Jeremy Allison --- source3/smbd/smb2_server.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index c1530e17751..f7288cfe2cb 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -1600,7 +1600,6 @@ static void smbd_smb2_request_pending_timer(struct tevent_context *ev, uint8_t *outhdr = NULL; const uint8_t *inhdr = NULL; uint8_t *tf = NULL; - size_t tf_len = 0; uint8_t *hdr = NULL; uint8_t *body = NULL; uint8_t *dyn = NULL; @@ -1646,7 +1645,6 @@ static void smbd_smb2_request_pending_timer(struct tevent_context *ev, } tf = state->buf + NBT_HDR_SIZE; - tf_len = SMB2_TF_HDR_SIZE; hdr = tf + SMB2_TF_HDR_SIZE; body = hdr + SMB2_HDR_BODY; @@ -1696,7 +1694,8 @@ static void smbd_smb2_request_pending_timer(struct tevent_context *ev, if (req->do_encryption) { state->vector[1+SMBD_SMB2_TF_IOV_OFS].iov_base = tf; - state->vector[1+SMBD_SMB2_TF_IOV_OFS].iov_len = tf_len; + state->vector[1+SMBD_SMB2_TF_IOV_OFS].iov_len = + SMB2_TF_HDR_SIZE; } else { state->vector[1+SMBD_SMB2_TF_IOV_OFS].iov_base = NULL; state->vector[1+SMBD_SMB2_TF_IOV_OFS].iov_len = 0; -- 2.24.0.rc1.363.gb1bccd3e3d-goog From d313f330825726dc1656fb5c4f79df9372ceb811 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 7 Nov 2019 09:16:44 -0800 Subject: [PATCH 3/4] s3: smbd: smb2 cleanup - restructure smbd_smb2_request_pending_timer() encrypt code to look the same as smbd_smb2_request_reply(). This makes code changes in both (if needed) much easier to spot. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14189 Signed-off-by: Jeremy Allison --- source3/smbd/smb2_server.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index f7288cfe2cb..8e95d48add5 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -1604,10 +1604,7 @@ static void smbd_smb2_request_pending_timer(struct tevent_context *ev, uint8_t *body = NULL; uint8_t *dyn = NULL; uint32_t flags = 0; - uint64_t session_id = 0; uint64_t message_id = 0; - uint64_t nonce_high = 0; - uint64_t nonce_low = 0; uint64_t async_id = 0; NTSTATUS status; bool ok; @@ -1619,7 +1616,6 @@ static void smbd_smb2_request_pending_timer(struct tevent_context *ev, outhdr = SMBD_SMB2_OUT_HDR_PTR(req); flags = IVAL(outhdr, SMB2_HDR_FLAGS); message_id = BVAL(outhdr, SMB2_HDR_MESSAGE_ID); - session_id = BVAL(outhdr, SMB2_HDR_SESSION_ID); async_id = message_id; /* keep it simple for now... */ @@ -1651,6 +1647,10 @@ static void smbd_smb2_request_pending_timer(struct tevent_context *ev, dyn = body + 8; if (req->do_encryption) { + uint64_t nonce_high = 0; + uint64_t nonce_low = 0; + uint64_t session_id = BVAL(outhdr, SMB2_HDR_SESSION_ID); + status = smb2_get_new_nonce(req->session, &nonce_high, &nonce_low); @@ -1659,12 +1659,12 @@ static void smbd_smb2_request_pending_timer(struct tevent_context *ev, nt_errstr(status)); return; } - } - SIVAL(tf, SMB2_TF_PROTOCOL_ID, SMB2_TF_MAGIC); - SBVAL(tf, SMB2_TF_NONCE+0, nonce_low); - SBVAL(tf, SMB2_TF_NONCE+8, nonce_high); - SBVAL(tf, SMB2_TF_SESSION_ID, session_id); + SIVAL(tf, SMB2_TF_PROTOCOL_ID, SMB2_TF_MAGIC); + SBVAL(tf, SMB2_TF_NONCE+0, nonce_low); + SBVAL(tf, SMB2_TF_NONCE+8, nonce_high); + SBVAL(tf, SMB2_TF_SESSION_ID, session_id); + } SIVAL(hdr, SMB2_HDR_PROTOCOL_ID, SMB2_MAGIC); SSVAL(hdr, SMB2_HDR_LENGTH, SMB2_HDR_BODY); -- 2.24.0.rc1.363.gb1bccd3e3d-goog From 8d059b1cdacce63af39d2fb2f92b6401416e5f61 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 7 Nov 2019 09:17:58 -0800 Subject: [PATCH 4/4] s3: smbd: smb2 - ensure we use the correct session_id if encrypting an interim response. This is the core of the bug fix for the bug below. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14189 Signed-off-by: Jeremy Allison --- source3/smbd/smb2_server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index 8e95d48add5..ff7d091dd3e 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -1649,7 +1649,7 @@ static void smbd_smb2_request_pending_timer(struct tevent_context *ev, if (req->do_encryption) { uint64_t nonce_high = 0; uint64_t nonce_low = 0; - uint64_t session_id = BVAL(outhdr, SMB2_HDR_SESSION_ID); + uint64_t session_id = req->session->global->session_wire_id;; status = smb2_get_new_nonce(req->session, &nonce_high, -- 2.24.0.rc1.363.gb1bccd3e3d-goog