From 8f18ecf67821f968e6d413f3041dab3779b041a0 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 11 Jan 2021 10:01:39 +0100 Subject: [PATCH 1/6] libcli/smb: Change some checks to SMB_ASSERTS If we end up here, it's definitely a programming error in the basic parsing layer of the SMB2 packet. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607 Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke (cherry picked from commit fdcdfceefdd3186ef0b70bb6e83dddc8f4c073db) --- libcli/smb/smb2_signing.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c index cc03607d789..230475480c2 100644 --- a/libcli/smb/smb2_signing.c +++ b/libcli/smb/smb2_signing.c @@ -189,13 +189,8 @@ NTSTATUS smb2_signing_check_pdu(struct smb2_signing_key *signing_key, static const uint8_t zero_sig[16] = { 0, }; int i; - if (count < 2) { - return NT_STATUS_INVALID_PARAMETER; - } - - if (vector[0].iov_len != SMB2_HDR_BODY) { - return NT_STATUS_INVALID_PARAMETER; - } + SMB_ASSERT(count >= 2); + SMB_ASSERT(vector[0].iov_len == SMB2_HDR_BODY); hdr = (const uint8_t *)vector[0].iov_base; -- 2.27.0 From 51ab77c50034e017ae7c2c71bf08f1a22a223534 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 6 Jan 2021 09:03:05 -0800 Subject: [PATCH 2/6] libcli/smb: Allow smb2cli_validate_negotiate_info_done() to ignore NT_STATUS_INVALID_PARAMETER. This can be returned from NetApp Ontap 7.3.7 SMB server implementations. Now we have ensured smb2_signing_check_pdu() cannot return NT_STATUS_INVALID_PARAMETER on a signing error it's safe to check this error code here. Windows 10 clients ignore this error from the NetApp. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607 Signed-off-by: Jeremy Allison Reviewed-by: Volker Lendecke Reviewed-by: Stefan Metzmacher (cherry picked from commit 0abb5ca6b96c843909dea56d5594e334547ae90f) --- libcli/smb/smbXcli_base.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index 7d2da4b9ebc..4909797543c 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -5420,6 +5420,18 @@ static void smb2cli_validate_negotiate_info_done(struct tevent_req *subreq) &state->out_input_buffer, &state->out_output_buffer); TALLOC_FREE(subreq); + + /* + * This response must be signed correctly for + * these "normal" error codes to be processed. + * If the packet wasn't signed correctly we will get + * NT_STATUS_ACCESS_DENIED or NT_STATUS_HMAC_NOT_SUPPORTED, + * or NT_STATUS_INVALID_NETWORK_RESPONSE + * from smb2_signing_check_pdu(). + * + * We must never ignore the above errors here. + */ + if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_CLOSED)) { /* * The response was signed, but not supported @@ -5465,6 +5477,19 @@ static void smb2cli_validate_negotiate_info_done(struct tevent_req *subreq) tevent_req_done(req); return; } + if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { + /* + * The response was signed, but not supported + * + * This might be returned by NetApp Ontap 7.3.7 SMB server + * implementations. + * + * BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607 + * + */ + tevent_req_done(req); + return; + } if (tevent_req_nterror(req, status)) { return; } -- 2.27.0 From f9352649280539aaad7d4bc1bdbd97c1a923383a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 14 Jan 2021 17:27:21 +0100 Subject: [PATCH 3/6] libcli/smb: split out smb2cli_ioctl_parse_buffer() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607 Pair-Programmed-With: Volker Lendecke Signed-off-by: Stefan Metzmacher Signed-off-by: Volker Lendecke (cherry picked from commit 508ed5b42c23f8b3d9730d838bd921cb73c61358) --- libcli/smb/smb2cli_ioctl.c | 190 +++++++++++++++++++++---------------- 1 file changed, 110 insertions(+), 80 deletions(-) diff --git a/libcli/smb/smb2cli_ioctl.c b/libcli/smb/smb2cli_ioctl.c index 2b572baeb23..6368bd31bc2 100644 --- a/libcli/smb/smb2cli_ioctl.c +++ b/libcli/smb/smb2cli_ioctl.c @@ -160,6 +160,80 @@ struct tevent_req *smb2cli_ioctl_send(TALLOC_CTX *mem_ctx, return req; } +static NTSTATUS smb2cli_ioctl_parse_buffer(uint32_t dyn_offset, + const DATA_BLOB dyn_buffer, + uint32_t min_offset, + uint32_t buffer_offset, + uint32_t buffer_length, + uint32_t max_length, + uint32_t *next_offset, + DATA_BLOB *buffer) +{ + uint32_t offset; + bool oob; + + *buffer = data_blob_null; + *next_offset = dyn_offset; + + if (buffer_offset == 0) { + /* + * If the offset is 0, we better ignore + * the buffer_length field. + */ + return NT_STATUS_OK; + } + + if (buffer_length == 0) { + /* + * If the length is 0, we better ignore + * the buffer_offset field. + */ + return NT_STATUS_OK; + } + + SMB_ASSERT(min_offset >= dyn_offset); + if (buffer_offset != min_offset) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + + /* + * Make [input|output]_buffer_offset relative to "dyn_buffer" + */ + offset = buffer_offset - dyn_offset; + oob = smb_buffer_oob(dyn_buffer.length, offset, buffer_length); + if (oob) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + + /* + * Give the caller a hint what we consumed, + * the caller may need to add possible padding. + */ + *next_offset = buffer_offset + buffer_length; + + if (max_length == 0) { + /* + * If max_input_length is 0 we ignore the + * input_buffer_length, because Windows 2008 echos the + * DCERPC request from the requested input_buffer to + * the response input_buffer. + * + * We just use the same logic also for max_output_length... + */ + buffer_length = 0; + } + + if (buffer_length > max_length) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + + *buffer = (DATA_BLOB) { + .data = dyn_buffer.data + offset, + .length = buffer_length, + }; + return NT_STATUS_OK; +} + static void smb2cli_ioctl_done(struct tevent_req *subreq) { struct tevent_req *req = @@ -169,15 +243,19 @@ static void smb2cli_ioctl_done(struct tevent_req *subreq) tevent_req_data(req, struct smb2cli_ioctl_state); NTSTATUS status; + NTSTATUS error; struct iovec *iov; uint8_t *fixed; - uint8_t *dyn; - size_t dyn_len; + DATA_BLOB dyn_buffer = data_blob_null; uint32_t dyn_ofs = SMB2_HDR_BODY + 0x30; + uint32_t input_min_offset; uint32_t input_buffer_offset; uint32_t input_buffer_length; + uint32_t input_next_offset; + uint32_t output_min_offset; uint32_t output_buffer_offset; uint32_t output_buffer_length; + uint32_t output_next_offset; static const struct smb2cli_req_expected_response expected[] = { { .status = NT_STATUS_OK, @@ -247,92 +325,44 @@ static void smb2cli_ioctl_done(struct tevent_req *subreq) state->recv_iov = iov; fixed = (uint8_t *)iov[1].iov_base; - dyn = (uint8_t *)iov[2].iov_base; - dyn_len = iov[2].iov_len; + dyn_buffer = data_blob_const((uint8_t *)iov[2].iov_base, + iov[2].iov_len); input_buffer_offset = IVAL(fixed, 0x18); input_buffer_length = IVAL(fixed, 0x1C); output_buffer_offset = IVAL(fixed, 0x20); output_buffer_length = IVAL(fixed, 0x24); - if ((input_buffer_offset > 0) && (input_buffer_length > 0)) { - uint32_t ofs; - - if (input_buffer_offset != dyn_ofs) { - tevent_req_nterror( - req, NT_STATUS_INVALID_NETWORK_RESPONSE); - return; - } - - ofs = input_buffer_length; - ofs = NDR_ROUND(ofs, 8); - - if (state->max_input_length == 0) { - /* - * If max_input_length is 0 we ignore - * the input_buffer_length, because - * Windows 2008 echos the DCERPC request - * from the requested input_buffer - * to the response input_buffer. - */ - input_buffer_length = 0; - } - - if (input_buffer_length > dyn_len) { - tevent_req_nterror( - req, NT_STATUS_INVALID_NETWORK_RESPONSE); - return; - } - - if (input_buffer_length > state->max_input_length) { - tevent_req_nterror( - req, NT_STATUS_INVALID_NETWORK_RESPONSE); - return; - } - - state->out_input_buffer.data = dyn; - state->out_input_buffer.length = input_buffer_length; - - if (ofs > dyn_len) { - tevent_req_nterror( - req, NT_STATUS_INVALID_NETWORK_RESPONSE); - return; - } - - dyn_ofs += ofs; - dyn += ofs; - dyn_len -= ofs; + input_min_offset = dyn_ofs; + input_next_offset = dyn_ofs; + error = smb2cli_ioctl_parse_buffer(dyn_ofs, + dyn_buffer, + input_min_offset, + input_buffer_offset, + input_buffer_length, + state->max_input_length, + &input_next_offset, + &state->out_input_buffer); + if (tevent_req_nterror(req, error)) { + return; } - if ((output_buffer_offset > 0) && (output_buffer_length > 0)) { - if (output_buffer_offset != dyn_ofs) { - tevent_req_nterror( - req, NT_STATUS_INVALID_NETWORK_RESPONSE); - return; - } - - if (state->max_output_length == 0) { - /* - * We do the same logic as for - * max_input_length. - */ - output_buffer_length = 0; - } - - if (output_buffer_length > dyn_len) { - tevent_req_nterror( - req, NT_STATUS_INVALID_NETWORK_RESPONSE); - return; - } - - if (output_buffer_length > state->max_output_length) { - tevent_req_nterror( - req, NT_STATUS_INVALID_NETWORK_RESPONSE); - return; - } - - state->out_output_buffer.data = dyn; - state->out_output_buffer.length = output_buffer_length; + /* + * If output data is returned, the output offset MUST be set to + * InputOffset + InputCount rounded up to a multiple of 8. + */ + output_min_offset = NDR_ROUND(input_next_offset, 8); + output_next_offset = 0; /* this variable is completely ignored */ + error = smb2cli_ioctl_parse_buffer(dyn_ofs, + dyn_buffer, + output_min_offset, + output_buffer_offset, + output_buffer_length, + state->max_output_length, + &output_next_offset, + &state->out_output_buffer); + if (tevent_req_nterror(req, error)) { + return; } state->out_valid = true; -- 2.27.0 From 2bac28d4841b02f4253afed43c0f1392957cd869 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 14 Jan 2021 17:39:18 +0100 Subject: [PATCH 4/6] s4:torture/smb2: add samba3.smb2.ioctl.bug14607 FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8 will be used to trigger an SMB2 IOCTL response with extra padding. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607 Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke (cherry picked from commit 3db566026bcc0bff87acae762211e1c49220dc82) --- libcli/smb/smb_constants.h | 2 ++ source4/torture/smb2/ioctl.c | 53 ++++++++++++++++++++++++++++++++++++ 2 files changed, 55 insertions(+) diff --git a/libcli/smb/smb_constants.h b/libcli/smb/smb_constants.h index b424b13cde4..d2345f094e1 100644 --- a/libcli/smb/smb_constants.h +++ b/libcli/smb/smb_constants.h @@ -589,6 +589,8 @@ enum csc_policy { #define FSCTL_SMBTORTURE 0x83840000 #define FSCTL_SMBTORTURE_FORCE_UNACKED_TIMEOUT \ (FSCTL_SMBTORTURE | FSCTL_ACCESS_WRITE | 0x0000 | FSCTL_METHOD_NEITHER) +#define FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8 \ + (FSCTL_SMBTORTURE | FSCTL_ACCESS_WRITE | 0x0010 | FSCTL_METHOD_NEITHER) /* * A few values from [MS-FSCC] 2.1.2.1 Reparse Tags diff --git a/source4/torture/smb2/ioctl.c b/source4/torture/smb2/ioctl.c index eed81d1f598..1de5179e336 100644 --- a/source4/torture/smb2/ioctl.c +++ b/source4/torture/smb2/ioctl.c @@ -6794,6 +6794,57 @@ static bool test_ioctl_dup_extents_dest_lck(struct torture_context *tctx, return true; } +/* + basic regression test for BUG 14607 + https://bugzilla.samba.org/show_bug.cgi?id=14607 +*/ +static bool test_ioctl_bug14607(struct torture_context *torture, + struct smb2_tree *tree) +{ + TALLOC_CTX *tmp_ctx = talloc_new(tree); + uint32_t timeout_msec; + NTSTATUS status; + DATA_BLOB out_input_buffer = data_blob_null; + DATA_BLOB out_output_buffer = data_blob_null; + + timeout_msec = tree->session->transport->options.request_timeout * 1000; + + status = smb2cli_ioctl(tree->session->transport->conn, + timeout_msec, + tree->session->smbXcli, + tree->smbXcli, + UINT64_MAX, /* in_fid_persistent */ + UINT64_MAX, /* in_fid_volatile */ + FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8, + 0, /* in_max_input_length */ + NULL, /* in_input_buffer */ + 1, /* in_max_output_length */ + NULL, /* in_output_buffer */ + SMB2_IOCTL_FLAG_IS_FSCTL, + tmp_ctx, + &out_input_buffer, + &out_output_buffer); + if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED) || + NT_STATUS_EQUAL(status, NT_STATUS_FILE_CLOSED) || + NT_STATUS_EQUAL(status, NT_STATUS_FS_DRIVER_REQUIRED) || + NT_STATUS_EQUAL(status, NT_STATUS_INVALID_DEVICE_REQUEST)) + { + torture_comment(torture, + "FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8: %s\n", + nt_errstr(status)); + torture_skip(torture, "server doesn't support FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8\n"); + } + torture_assert_ntstatus_ok(torture, status, "FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8"); + + torture_assert_int_equal(torture, out_output_buffer.length, 1, + "output length"); + torture_assert_int_equal(torture, out_output_buffer.data[0], 8, + "output buffer byte should be 8"); + + talloc_free(tmp_ctx); + return true; +} + /* * testing of SMB2 ioctls */ @@ -6939,6 +6990,8 @@ struct torture_suite *torture_smb2_ioctl_init(TALLOC_CTX *ctx) test_ioctl_dup_extents_src_lck); torture_suite_add_1smb2_test(suite, "dup_extents_dest_lock", test_ioctl_dup_extents_dest_lck); + torture_suite_add_1smb2_test(suite, "bug14607", + test_ioctl_bug14607); suite->description = talloc_strdup(suite, "SMB2-IOCTL tests"); -- 2.27.0 From dadf9b9530e593590c22ad6a11ecf7bbb7b0d5d9 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 14 Jan 2021 17:39:01 +0100 Subject: [PATCH 5/6] smbd: implement FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8 as reproducer for bug 14607 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607 Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke (cherry picked from commit 39c0d2b666a6ddac7cd3b29fe76be7375690b27b) --- .../knownfail.d/samba3.smb2.ioctl.bug14607 | 1 + source3/smbd/smb2_ioctl.c | 41 +++++++++++++++++-- source3/smbd/smb2_ioctl_private.h | 1 + 3 files changed, 40 insertions(+), 3 deletions(-) create mode 100644 selftest/knownfail.d/samba3.smb2.ioctl.bug14607 diff --git a/selftest/knownfail.d/samba3.smb2.ioctl.bug14607 b/selftest/knownfail.d/samba3.smb2.ioctl.bug14607 new file mode 100644 index 00000000000..c535a8a2723 --- /dev/null +++ b/selftest/knownfail.d/samba3.smb2.ioctl.bug14607 @@ -0,0 +1 @@ +^samba3.smb2.ioctl.*bug14607.nt4_dc diff --git a/source3/smbd/smb2_ioctl.c b/source3/smbd/smb2_ioctl.c index 01ae6d64ac5..8b65a691638 100644 --- a/source3/smbd/smb2_ioctl.c +++ b/source3/smbd/smb2_ioctl.c @@ -41,6 +41,7 @@ static struct tevent_req *smbd_smb2_ioctl_send(TALLOC_CTX *mem_ctx, static NTSTATUS smbd_smb2_ioctl_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, DATA_BLOB *out_output, + uint8_t *body_padding, bool *disconnect); static void smbd_smb2_request_ioctl_done(struct tevent_req *subreq); @@ -195,6 +196,7 @@ NTSTATUS smbd_smb2_request_process_ioctl(struct smbd_smb2_request *req) case FSCTL_VALIDATE_NEGOTIATE_INFO: case FSCTL_QUERY_NETWORK_INTERFACE_INFO: case FSCTL_SMBTORTURE_FORCE_UNACKED_TIMEOUT: + case FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8: /* * Some SMB2 specific CtlCodes like FSCTL_DFS_GET_REFERRALS or * FSCTL_PIPE_WAIT does not take a file handle. @@ -284,9 +286,12 @@ static void smbd_smb2_request_ioctl_done(struct tevent_req *subreq) NTSTATUS status; NTSTATUS error; /* transport error */ bool disconnect = false; + uint16_t body_size; + uint8_t body_padding = 0; status = smbd_smb2_ioctl_recv(subreq, req, &out_output_buffer, + &body_padding, &disconnect); DEBUG(10,("smbd_smb2_request_ioctl_done: smbd_smb2_ioctl_recv returned " @@ -319,10 +324,15 @@ static void smbd_smb2_request_ioctl_done(struct tevent_req *subreq) return; } - out_input_offset = SMB2_HDR_BODY + 0x30; - out_output_offset = SMB2_HDR_BODY + 0x30; + /* + * Only FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8 + * sets body_padding to a value different from 0. + */ + body_size = 0x30 + body_padding; + out_input_offset = SMB2_HDR_BODY + body_size; + out_output_offset = SMB2_HDR_BODY + body_size; - outbody = smbd_smb2_generate_outbody(req, 0x30); + outbody = smbd_smb2_generate_outbody(req, body_size); if (outbody.data == NULL) { error = smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY); if (!NT_STATUS_IS_OK(error)) { @@ -350,6 +360,9 @@ static void smbd_smb2_request_ioctl_done(struct tevent_req *subreq) out_output_buffer.length); /* output count */ SIVAL(outbody.data, 0x28, 0); /* flags */ SIVAL(outbody.data, 0x2C, 0); /* reserved */ + if (body_padding != 0) { + memset(outbody.data + 0x30, 0, body_padding); + } /* * Note: Windows Vista and 2008 send back also the @@ -391,6 +404,26 @@ static struct tevent_req *smb2_ioctl_smbtorture(uint32_t ctl_code, tevent_req_done(req); return tevent_req_post(req, ev); + case FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8: + if (state->in_input.length != 0) { + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); + return tevent_req_post(req, ev); + } + + if (state->in_max_output > 0) { + uint32_t size = state->in_max_output; + + state->out_output = data_blob_talloc(state, NULL, size); + if (tevent_req_nomem(state->out_output.data, req)) { + return tevent_req_post(req, ev); + } + memset(state->out_output.data, 8, size); + } + + state->body_padding = 8; + tevent_req_done(req); + return tevent_req_post(req, ev); + default: goto not_supported; } @@ -476,6 +509,7 @@ static struct tevent_req *smbd_smb2_ioctl_send(TALLOC_CTX *mem_ctx, static NTSTATUS smbd_smb2_ioctl_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, DATA_BLOB *out_output, + uint8_t *body_padding, bool *disconnect) { NTSTATUS status = NT_STATUS_OK; @@ -484,6 +518,7 @@ static NTSTATUS smbd_smb2_ioctl_recv(struct tevent_req *req, enum tevent_req_state req_state; uint64_t err; + *body_padding = state->body_padding; *disconnect = state->disconnect; if ((tevent_req_is_error(req, &req_state, &err) == false) diff --git a/source3/smbd/smb2_ioctl_private.h b/source3/smbd/smb2_ioctl_private.h index ae07fed8606..7a35f8f5d0b 100644 --- a/source3/smbd/smb2_ioctl_private.h +++ b/source3/smbd/smb2_ioctl_private.h @@ -28,6 +28,7 @@ struct smbd_smb2_ioctl_state { DATA_BLOB in_input; uint32_t in_max_output; DATA_BLOB out_output; + uint8_t body_padding; bool disconnect; }; -- 2.27.0 From ac4f2bb2a109399e1a247755bc78efc1e925998b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 14 Jan 2021 17:32:15 +0100 Subject: [PATCH 6/6] libcli/smb: allow unexpected padding in SMB2 IOCTL responses A NetApp Ontap 7.3.7 SMB server add 8 padding bytes to an offset that's already 8 byte aligned. RN: Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607 Pair-Programmed-With: Volker Lendecke Signed-off-by: Stefan Metzmacher Signed-off-by: Volker Lendecke Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Fri Jan 15 08:36:34 UTC 2021 on sn-devel-184 (cherry picked from commit 4c6c71e1378401d66bf2ed230544a75f7b04376f) --- libcli/smb/smb2cli_ioctl.c | 19 ++++++++++++++++++- .../knownfail.d/samba3.smb2.ioctl.bug14607 | 1 - 2 files changed, 18 insertions(+), 2 deletions(-) delete mode 100644 selftest/knownfail.d/samba3.smb2.ioctl.bug14607 diff --git a/libcli/smb/smb2cli_ioctl.c b/libcli/smb/smb2cli_ioctl.c index 6368bd31bc2..f9abcc57bab 100644 --- a/libcli/smb/smb2cli_ioctl.c +++ b/libcli/smb/smb2cli_ioctl.c @@ -191,8 +191,25 @@ static NTSTATUS smb2cli_ioctl_parse_buffer(uint32_t dyn_offset, return NT_STATUS_OK; } + if ((buffer_offset % 8) != 0) { + /* + * The offset needs to be 8 byte aligned. + */ + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + + /* + * We used to enforce buffer_offset to be + * an exact match of the expected minimum, + * but the NetApp Ontap 7.3.7 SMB server + * gets the padding wrong and aligns the + * input_buffer_offset by a value of 8. + * + * So we just enforce that the offset is + * not lower than the expected value. + */ SMB_ASSERT(min_offset >= dyn_offset); - if (buffer_offset != min_offset) { + if (buffer_offset < min_offset) { return NT_STATUS_INVALID_NETWORK_RESPONSE; } diff --git a/selftest/knownfail.d/samba3.smb2.ioctl.bug14607 b/selftest/knownfail.d/samba3.smb2.ioctl.bug14607 deleted file mode 100644 index c535a8a2723..00000000000 --- a/selftest/knownfail.d/samba3.smb2.ioctl.bug14607 +++ /dev/null @@ -1 +0,0 @@ -^samba3.smb2.ioctl.*bug14607.nt4_dc -- 2.27.0