From c96550b6d3b663afb37b0d65480b645ab1cff362 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 5 Jan 2021 14:55:12 -0800 Subject: [PATCH 1/2] libcli: In smb2_signing_check_pdu() cause a badly formatted packet to return NT_STATUS_INVALID_NETWORK_RESPONSE, not NT_STATUS_INVALID_PARAMETER. NetApp Ontap 7.4 returns NT_STATUS_INVALID_PARAMETER for an ioctl FSCTL_VALIDATE_NEGOTIATE_INFO as they don't support the FSCTL_VALIDATE_NEGOTIATE_INFO request. This violates the protocol spec. However, the Windows 10 client handles this. Change the error code for a badly formatted packet to not use NT_STATUS_INVALID_PARAMETER. The error codes that are treated specially by the client dispatch code and can be returned by a non-signed packet are: - NT_STATUS_USER_SESSION_DELETED - NT_STATUS_INVALID_PARAMETER - NT_STATUS_NETWORK_NAME_DELETED - NT_STATUS_FILE_CLOSED So ensure smb2_signing_check_pdu() doesn't return any of them as part of it's error return so we can still tell if a PDU was correctly signed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607 Signed-off-by: Jeremy Allison --- libcli/smb/smb2_signing.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c index 6ece5f2e4d3..d810d6485ea 100644 --- a/libcli/smb/smb2_signing.c +++ b/libcli/smb/smb2_signing.c @@ -190,11 +190,11 @@ NTSTATUS smb2_signing_check_pdu(struct smb2_signing_key *signing_key, int i; if (count < 2) { - return NT_STATUS_INVALID_PARAMETER; + return NT_STATUS_INVALID_NETWORK_RESPONSE; } if (vector[0].iov_len != SMB2_HDR_BODY) { - return NT_STATUS_INVALID_PARAMETER; + return NT_STATUS_INVALID_NETWORK_RESPONSE; } hdr = (const uint8_t *)vector[0].iov_base; -- 2.27.0 From e6f20f6ad27dd98e5f95361efc5e4abd6dc0137d Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 6 Jan 2021 09:03:05 -0800 Subject: [PATCH 2/2] libcli: Allow smb2cli_validate_negotiate_info_done() to ignore NT_STATUS_INVALID_PARAMETER. This can be returned from NetApp Ontap 7.4 SMB server implementations. Now we have ensured smb2_signing_check_pdu() cannot return NT_STATUS_INVALID_PARAMETER on a signing error it's safe to check this error code here. Windows 10 clients ignore this error from the NetApp. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607 Signed-off-by: Jeremy Allison --- libcli/smb/smbXcli_base.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index 0fc4aa4451a..c3fd486e66d 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -5428,6 +5428,18 @@ static void smb2cli_validate_negotiate_info_done(struct tevent_req *subreq) &state->out_input_buffer, &state->out_output_buffer); TALLOC_FREE(subreq); + + /* + * This response must be signed correctly for + * these "normal" error codes to be processed. + * If the packet wasn't signed correctly we will get + * NT_STATUS_ACCESS_DENIED or NT_STATUS_HMAC_NOT_SUPPORTED, + * or NT_STATUS_INVALID_NETWORK_RESPONSE + * from smb2_signing_check_pdu(). + * + * We must never ignore the above errors here. + */ + if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_CLOSED)) { /* * The response was signed, but not supported @@ -5473,6 +5485,19 @@ static void smb2cli_validate_negotiate_info_done(struct tevent_req *subreq) tevent_req_done(req); return; } + if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { + /* + * The response was signed, but not supported + * + * This might be returned by NetApp Ontap 7.4 SMB server + * implementations. + * + * BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607 + * + */ + tevent_req_done(req); + return; + } if (tevent_req_nterror(req, status)) { return; } -- 2.27.0