From 4cb2249338f03c2b1b3662f1c6b528a3cd3f78c1 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 3 Oct 2011 14:50:48 -0700 Subject: [PATCH 01/23] s3:smb2_server: add smbd_smb2_request_verify_sizes() metze. --- source3/smbd/globals.h | 3 +++ source3/smbd/smb2_server.c | 42 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+), 0 deletions(-) diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h index abeaed4..7033848 100644 --- a/source3/smbd/globals.h +++ b/source3/smbd/globals.h @@ -278,6 +278,9 @@ NTSTATUS smbd_smb2_request_check_tcon(struct smbd_smb2_request *req); struct smb_request *smbd_smb2_fake_smb_request(struct smbd_smb2_request *req); void remove_smb2_chained_fsp(files_struct *fsp); +NTSTATUS smbd_smb2_request_verify_sizes(struct smbd_smb2_request *req, + size_t expected_body_size); + NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req); NTSTATUS smbd_smb2_request_process_sesssetup(struct smbd_smb2_request *req); NTSTATUS smbd_smb2_request_process_logoff(struct smbd_smb2_request *req); diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index cad4ca6..811e6d3 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -1125,6 +1125,48 @@ static NTSTATUS smbd_smb2_request_process_cancel(struct smbd_smb2_request *req) return NT_STATUS_OK; } +NTSTATUS smbd_smb2_request_verify_sizes(struct smbd_smb2_request *req, + size_t expected_body_size) +{ + const uint8_t *inbody; + int i = req->current_idx; + size_t body_size; + + /* + * The following should be checked already. + */ + if ((i+2) > req->in.vector_count) { + return NT_STATUS_INTERNAL_ERROR; + } + if (req->in.vector[i+0].iov_len != SMB2_HDR_BODY) { + return NT_STATUS_INTERNAL_ERROR; + } + if (req->in.vector[i+1].iov_len < 2) { + return NT_STATUS_INTERNAL_ERROR; + } + + /* + * Now check the expected body size, + * where the last byte might be in the + * dynnamic section.. + */ + if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { + return NT_STATUS_INVALID_PARAMETER; + } + if (req->in.vector[i+2].iov_len < (expected_body_size & 0x00000001)) { + return NT_STATUS_INVALID_PARAMETER; + } + + inbody = (const uint8_t *)req->in.vector[i+1].iov_base; + + body_size = SVAL(inbody, 0x00); + if (body_size != expected_body_size) { + return NT_STATUS_INVALID_PARAMETER; + } + + return NT_STATUS_OK; +} + NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req) { const uint8_t *inhdr; -- 1.7.3.1 From abda6091c2aa039de8437bc4d88f3f27d45498b7 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Sep 2011 14:01:43 +0200 Subject: [PATCH 02/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_negprot.c metze (cherry picked from commit 7ec3a35d2a67ca93a49094f07a12b0e37cec1661) --- source3/smbd/smb2_negprot.c | 14 ++++---------- 1 files changed, 4 insertions(+), 10 deletions(-) diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c index f639503..9245d6d 100644 --- a/source3/smbd/smb2_negprot.c +++ b/source3/smbd/smb2_negprot.c @@ -61,6 +61,7 @@ void reply_smb2002(struct smb_request *req, uint16_t choice) NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) { + NTSTATUS status; const uint8_t *inbody; const uint8_t *indyn = NULL; int i = req->current_idx; @@ -69,8 +70,6 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) DATA_BLOB negprot_spnego_blob; uint16_t security_offset; DATA_BLOB security_buffer; - size_t expected_body_size = 0x24; - size_t body_size; size_t expected_dyn_size = 0; size_t c; uint16_t security_mode; @@ -80,17 +79,12 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) /* TODO: drop the connection with INVALID_PARAMETER */ - if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); + status = smbd_smb2_request_verify_sizes(req, 0x24); + if (!NT_STATUS_IS_OK(status)) { + return smbd_smb2_request_error(req, status); } - inbody = (const uint8_t *)req->in.vector[i+1].iov_base; - body_size = SVAL(inbody, 0x00); - if (body_size != expected_body_size) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); - } - dialect_count = SVAL(inbody, 0x02); if (dialect_count == 0) { return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); -- 1.7.3.1 From ec3159637c606b28d50abe7aa746ad3b8017fb80 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Sep 2011 14:01:43 +0200 Subject: [PATCH 03/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_sesssetup.c metze (cherry picked from commit d280d9f945be2d658694c6d4503822e99dc953b5) --- source3/smbd/smb2_sesssetup.c | 35 +++++++++-------------------------- 1 files changed, 9 insertions(+), 26 deletions(-) diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index 49aabdb..53f9d10 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -47,8 +47,6 @@ NTSTATUS smbd_smb2_request_process_sesssetup(struct smbd_smb2_request *smb2req) uint8_t *outhdr; DATA_BLOB outbody; DATA_BLOB outdyn; - size_t expected_body_size = 0x19; - size_t body_size; uint64_t in_session_id; uint8_t in_security_mode; uint16_t in_security_offset; @@ -60,23 +58,17 @@ NTSTATUS smbd_smb2_request_process_sesssetup(struct smbd_smb2_request *smb2req) DATA_BLOB out_security_buffer = data_blob_null; NTSTATUS status; - inhdr = (const uint8_t *)smb2req->in.vector[i+0].iov_base; - - if (smb2req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { - return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER); + status = smbd_smb2_request_verify_sizes(smb2req, 0x19); + if (!NT_STATUS_IS_OK(status)) { + return smbd_smb2_request_error(smb2req, status); } - + inhdr = (const uint8_t *)smb2req->in.vector[i+0].iov_base; inbody = (const uint8_t *)smb2req->in.vector[i+1].iov_base; - body_size = SVAL(inbody, 0x00); - if (body_size != expected_body_size) { - return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER); - } - in_security_offset = SVAL(inbody, 0x0C); in_security_length = SVAL(inbody, 0x0E); - if (in_security_offset != (SMB2_HDR_BODY + (body_size & 0xFFFFFFFE))) { + if (in_security_offset != (SMB2_HDR_BODY + smb2req->in.vector[i+1].iov_len)) { return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER); } @@ -878,21 +870,12 @@ NTSTATUS smbd_smb2_request_check_session(struct smbd_smb2_request *req) NTSTATUS smbd_smb2_request_process_logoff(struct smbd_smb2_request *req) { - const uint8_t *inbody; - int i = req->current_idx; + NTSTATUS status; DATA_BLOB outbody; - size_t expected_body_size = 0x04; - size_t body_size; - if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); - } - - inbody = (const uint8_t *)req->in.vector[i+1].iov_base; - - body_size = SVAL(inbody, 0x00); - if (body_size != expected_body_size) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); + status = smbd_smb2_request_verify_sizes(req, 0x04); + if (!NT_STATUS_IS_OK(status)) { + return smbd_smb2_request_error(req, status); } /* -- 1.7.3.1 From da2deca7c3a82a85f4e54a2dc7608469f8b2cec7 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Sep 2011 14:01:43 +0200 Subject: [PATCH 04/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_tcon.c metze (cherry picked from commit 02f7c37e671c7950619c000b73c5a09ce31c68ac) --- source3/smbd/smb2_tcon.c | 32 ++++++++------------------------ 1 files changed, 8 insertions(+), 24 deletions(-) diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c index ea38d1e..08b5b1e 100644 --- a/source3/smbd/smb2_tcon.c +++ b/source3/smbd/smb2_tcon.c @@ -39,8 +39,6 @@ NTSTATUS smbd_smb2_request_process_tcon(struct smbd_smb2_request *req) int i = req->current_idx; uint8_t *outhdr; DATA_BLOB outbody; - size_t expected_body_size = 0x09; - size_t body_size; uint16_t in_path_offset; uint16_t in_path_length; DATA_BLOB in_path_buffer; @@ -54,21 +52,16 @@ NTSTATUS smbd_smb2_request_process_tcon(struct smbd_smb2_request *req) NTSTATUS status; bool ok; - if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); + status = smbd_smb2_request_verify_sizes(req, 0x09); + if (!NT_STATUS_IS_OK(status)) { + return smbd_smb2_request_error(req, status); } - inbody = (const uint8_t *)req->in.vector[i+1].iov_base; - body_size = SVAL(inbody, 0x00); - if (body_size != expected_body_size) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); - } - in_path_offset = SVAL(inbody, 0x04); in_path_length = SVAL(inbody, 0x06); - if (in_path_offset != (SMB2_HDR_BODY + (body_size & 0xFFFFFFFE))) { + if (in_path_offset != (SMB2_HDR_BODY + req->in.vector[i+1].iov_len)) { return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); } @@ -339,21 +332,12 @@ NTSTATUS smbd_smb2_request_check_tcon(struct smbd_smb2_request *req) NTSTATUS smbd_smb2_request_process_tdis(struct smbd_smb2_request *req) { - const uint8_t *inbody; - int i = req->current_idx; + NTSTATUS status; DATA_BLOB outbody; - size_t expected_body_size = 0x04; - size_t body_size; - if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); - } - - inbody = (const uint8_t *)req->in.vector[i+1].iov_base; - - body_size = SVAL(inbody, 0x00); - if (body_size != expected_body_size) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); + status = smbd_smb2_request_verify_sizes(req, 0x04); + if (!NT_STATUS_IS_OK(status)) { + return smbd_smb2_request_error(req, status); } /* -- 1.7.3.1 From 6141564acf3579475132c75f245405742fb29b46 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Sep 2011 14:01:43 +0200 Subject: [PATCH 05/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_break.c metze (cherry picked from commit 9da2f72d471460d9c953e9cee84c9cfa3611e89e) --- source3/smbd/smb2_break.c | 16 ++++------------ 1 files changed, 4 insertions(+), 12 deletions(-) diff --git a/source3/smbd/smb2_break.c b/source3/smbd/smb2_break.c index 5d5ab41..ce583ac 100644 --- a/source3/smbd/smb2_break.c +++ b/source3/smbd/smb2_break.c @@ -36,28 +36,20 @@ static NTSTATUS smbd_smb2_oplock_break_recv(struct tevent_req *req, static void smbd_smb2_request_oplock_break_done(struct tevent_req *subreq); NTSTATUS smbd_smb2_request_process_break(struct smbd_smb2_request *req) { - const uint8_t *inhdr; + NTSTATUS status; const uint8_t *inbody; int i = req->current_idx; - size_t expected_body_size = 0x18; - size_t body_size; uint8_t in_oplock_level; uint64_t in_file_id_persistent; uint64_t in_file_id_volatile; struct tevent_req *subreq; - inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; - if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); + status = smbd_smb2_request_verify_sizes(req, 0x18); + if (!NT_STATUS_IS_OK(status)) { + return smbd_smb2_request_error(req, status); } - inbody = (const uint8_t *)req->in.vector[i+1].iov_base; - body_size = SVAL(inbody, 0x00); - if (body_size != expected_body_size) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); - } - in_oplock_level = CVAL(inbody, 0x02); if (in_oplock_level != SMB2_OPLOCK_LEVEL_NONE && -- 1.7.3.1 From cec84baa67e19d5748d43a1d56ee981b81f57e4a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Sep 2011 14:01:43 +0200 Subject: [PATCH 06/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_close.c metze (cherry picked from commit e09b3940a769806dcc17d24079375f5d53eca26a) --- source3/smbd/smb2_close.c | 15 +++------------ 1 files changed, 3 insertions(+), 12 deletions(-) diff --git a/source3/smbd/smb2_close.c b/source3/smbd/smb2_close.c index 93ce5ba..ffe08cc 100644 --- a/source3/smbd/smb2_close.c +++ b/source3/smbd/smb2_close.c @@ -30,30 +30,21 @@ static NTSTATUS smbd_smb2_close(struct smbd_smb2_request *req, NTSTATUS smbd_smb2_request_process_close(struct smbd_smb2_request *req) { - const uint8_t *inhdr; const uint8_t *inbody; int i = req->current_idx; uint8_t *outhdr; DATA_BLOB outbody; - size_t expected_body_size = 0x18; - size_t body_size; uint16_t in_flags; uint64_t in_file_id_persistent; uint64_t in_file_id_volatile; NTSTATUS status; - inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; - if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); + status = smbd_smb2_request_verify_sizes(req, 0x18); + if (!NT_STATUS_IS_OK(status)) { + return smbd_smb2_request_error(req, status); } - inbody = (const uint8_t *)req->in.vector[i+1].iov_base; - body_size = SVAL(inbody, 0x00); - if (body_size != expected_body_size) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); - } - outbody = data_blob_talloc(req->out.vector, NULL, 0x3C); if (outbody.data == NULL) { return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY); -- 1.7.3.1 From b5337ce4ee3e4df8d2a7dcc17fb94f8d979534b7 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Sep 2011 14:01:43 +0200 Subject: [PATCH 07/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_create.c metze (cherry picked from commit 251815bfd395398857cb60c0b89710ddce7ab19f) --- source3/smbd/smb2_create.c | 15 ++++----------- 1 files changed, 4 insertions(+), 11 deletions(-) diff --git a/source3/smbd/smb2_create.c b/source3/smbd/smb2_create.c index b8557e0..4b19e0c 100644 --- a/source3/smbd/smb2_create.c +++ b/source3/smbd/smb2_create.c @@ -100,8 +100,6 @@ NTSTATUS smbd_smb2_request_process_create(struct smbd_smb2_request *smb2req) { const uint8_t *inbody; int i = smb2req->current_idx; - size_t expected_body_size = 0x39; - size_t body_size; uint8_t in_oplock_level; uint32_t in_impersonation_level; uint32_t in_desired_access; @@ -127,17 +125,12 @@ NTSTATUS smbd_smb2_request_process_create(struct smbd_smb2_request *smb2req) bool ok; struct tevent_req *tsubreq; - if (smb2req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { - return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER); + status = smbd_smb2_request_verify_sizes(smb2req, 0x39); + if (!NT_STATUS_IS_OK(status)) { + return smbd_smb2_request_error(smb2req, status); } - inbody = (const uint8_t *)smb2req->in.vector[i+1].iov_base; - body_size = SVAL(inbody, 0x00); - if (body_size != expected_body_size) { - return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER); - } - in_oplock_level = CVAL(inbody, 0x03); in_impersonation_level = IVAL(inbody, 0x04); in_desired_access = IVAL(inbody, 0x18); @@ -158,7 +151,7 @@ NTSTATUS smbd_smb2_request_process_create(struct smbd_smb2_request *smb2req) * overlap */ - dyn_offset = SMB2_HDR_BODY + (body_size & 0xFFFFFFFE); + dyn_offset = SMB2_HDR_BODY + smb2req->in.vector[i+1].iov_len; if (in_name_offset == 0 && in_name_length == 0) { /* This is ok */ -- 1.7.3.1 From c2fcc9ae53323b94008707bdc3a603695e36c3df Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Sep 2011 14:01:43 +0200 Subject: [PATCH 08/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_find.c metze (cherry picked from commit bc95ab99dc84fa6d567a7d4e803552363bbc07a9) --- source3/smbd/smb2_find.c | 18 +++++------------- 1 files changed, 5 insertions(+), 13 deletions(-) diff --git a/source3/smbd/smb2_find.c b/source3/smbd/smb2_find.c index 362dff4..85e0126 100644 --- a/source3/smbd/smb2_find.c +++ b/source3/smbd/smb2_find.c @@ -41,11 +41,9 @@ static NTSTATUS smbd_smb2_find_recv(struct tevent_req *req, static void smbd_smb2_request_find_done(struct tevent_req *subreq); NTSTATUS smbd_smb2_request_process_find(struct smbd_smb2_request *req) { - const uint8_t *inhdr; + NTSTATUS status; const uint8_t *inbody; int i = req->current_idx; - size_t expected_body_size = 0x21; - size_t body_size; uint8_t in_file_info_class; uint8_t in_flags; uint32_t in_file_index; @@ -60,18 +58,12 @@ NTSTATUS smbd_smb2_request_process_find(struct smbd_smb2_request *req) struct tevent_req *subreq; bool ok; - inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; - if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); + status = smbd_smb2_request_verify_sizes(req, 0x21); + if (!NT_STATUS_IS_OK(status)) { + return smbd_smb2_request_error(req, status); } - inbody = (const uint8_t *)req->in.vector[i+1].iov_base; - body_size = SVAL(inbody, 0x00); - if (body_size != expected_body_size) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); - } - in_file_info_class = CVAL(inbody, 0x02); in_flags = CVAL(inbody, 0x03); in_file_index = IVAL(inbody, 0x04); @@ -84,7 +76,7 @@ NTSTATUS smbd_smb2_request_process_find(struct smbd_smb2_request *req) if (in_file_name_offset == 0 && in_file_name_length == 0) { /* This is ok */ } else if (in_file_name_offset != - (SMB2_HDR_BODY + (body_size & 0xFFFFFFFE))) { + (SMB2_HDR_BODY + req->in.vector[i+1].iov_len)) { return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); } -- 1.7.3.1 From f2459924cc9ef287fc0acc79bed1b70471f3d788 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Sep 2011 14:01:43 +0200 Subject: [PATCH 09/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_flush.c metze (cherry picked from commit 440f702aa9a020f8cfe13037b7af1ba0dadf86f2) --- source3/smbd/smb2_flush.c | 16 ++++------------ 1 files changed, 4 insertions(+), 12 deletions(-) diff --git a/source3/smbd/smb2_flush.c b/source3/smbd/smb2_flush.c index c3f5a30..9b00eb2 100644 --- a/source3/smbd/smb2_flush.c +++ b/source3/smbd/smb2_flush.c @@ -33,27 +33,19 @@ static NTSTATUS smbd_smb2_flush_recv(struct tevent_req *req); static void smbd_smb2_request_flush_done(struct tevent_req *subreq); NTSTATUS smbd_smb2_request_process_flush(struct smbd_smb2_request *req) { - const uint8_t *inhdr; + NTSTATUS status; const uint8_t *inbody; int i = req->current_idx; - size_t expected_body_size = 0x18; - size_t body_size; uint64_t in_file_id_persistent; uint64_t in_file_id_volatile; struct tevent_req *subreq; - inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; - if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); + status = smbd_smb2_request_verify_sizes(req, 0x18); + if (!NT_STATUS_IS_OK(status)) { + return smbd_smb2_request_error(req, status); } - inbody = (const uint8_t *)req->in.vector[i+1].iov_base; - body_size = SVAL(inbody, 0x00); - if (body_size != expected_body_size) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); - } - in_file_id_persistent = BVAL(inbody, 0x08); in_file_id_volatile = BVAL(inbody, 0x10); -- 1.7.3.1 From ca7e8844ef6c84f277b5ba7b243618a9b84438f1 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Sep 2011 14:01:43 +0200 Subject: [PATCH 10/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_getinfo.c metze (cherry picked from commit 880eafd7e83ba326be7036605179e8de746f4312) --- source3/smbd/smb2_getinfo.c | 18 +++++------------- 1 files changed, 5 insertions(+), 13 deletions(-) diff --git a/source3/smbd/smb2_getinfo.c b/source3/smbd/smb2_getinfo.c index 3c8c690..61e0cfa 100644 --- a/source3/smbd/smb2_getinfo.c +++ b/source3/smbd/smb2_getinfo.c @@ -44,11 +44,9 @@ static NTSTATUS smbd_smb2_getinfo_recv(struct tevent_req *req, static void smbd_smb2_request_getinfo_done(struct tevent_req *subreq); NTSTATUS smbd_smb2_request_process_getinfo(struct smbd_smb2_request *req) { - const uint8_t *inhdr; + NTSTATUS status; const uint8_t *inbody; int i = req->current_idx; - size_t expected_body_size = 0x29; - size_t body_size; uint8_t in_info_type; uint8_t in_file_info_class; uint32_t in_output_buffer_length; @@ -61,18 +59,12 @@ NTSTATUS smbd_smb2_request_process_getinfo(struct smbd_smb2_request *req) uint64_t in_file_id_volatile; struct tevent_req *subreq; - inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; - if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); + status = smbd_smb2_request_verify_sizes(req, 0x29); + if (!NT_STATUS_IS_OK(status)) { + return smbd_smb2_request_error(req, status); } - inbody = (const uint8_t *)req->in.vector[i+1].iov_base; - body_size = SVAL(inbody, 0x00); - if (body_size != expected_body_size) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); - } - in_info_type = CVAL(inbody, 0x02); in_file_info_class = CVAL(inbody, 0x03); in_output_buffer_length = IVAL(inbody, 0x04); @@ -87,7 +79,7 @@ NTSTATUS smbd_smb2_request_process_getinfo(struct smbd_smb2_request *req) if (in_input_buffer_offset == 0 && in_input_buffer_length == 0) { /* This is ok */ } else if (in_input_buffer_offset != - (SMB2_HDR_BODY + (body_size & 0xFFFFFFFE))) { + (SMB2_HDR_BODY + req->in.vector[i+1].iov_len)) { return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); } -- 1.7.3.1 From 8e66e1b6d9e2ec0c38b9d9a4595e841a78f8db1e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Sep 2011 14:01:43 +0200 Subject: [PATCH 11/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_ioctl.c metze (cherry picked from commit 29b3601c028b8861102b1d988285c78fc17f3b8e) --- source3/smbd/smb2_ioctl.c | 18 +++++------------- 1 files changed, 5 insertions(+), 13 deletions(-) diff --git a/source3/smbd/smb2_ioctl.c b/source3/smbd/smb2_ioctl.c index 88775b4..8f2a471 100644 --- a/source3/smbd/smb2_ioctl.c +++ b/source3/smbd/smb2_ioctl.c @@ -41,11 +41,9 @@ static NTSTATUS smbd_smb2_ioctl_recv(struct tevent_req *req, static void smbd_smb2_request_ioctl_done(struct tevent_req *subreq); NTSTATUS smbd_smb2_request_process_ioctl(struct smbd_smb2_request *req) { - const uint8_t *inhdr; + NTSTATUS status; const uint8_t *inbody; int i = req->current_idx; - size_t expected_body_size = 0x39; - size_t body_size; uint32_t in_ctl_code; uint64_t in_file_id_persistent; uint64_t in_file_id_volatile; @@ -56,18 +54,12 @@ NTSTATUS smbd_smb2_request_process_ioctl(struct smbd_smb2_request *req) uint32_t in_flags; struct tevent_req *subreq; - inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; - if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); + status = smbd_smb2_request_verify_sizes(req, 0x39); + if (!NT_STATUS_IS_OK(status)) { + return smbd_smb2_request_error(req, status); } - inbody = (const uint8_t *)req->in.vector[i+1].iov_base; - body_size = SVAL(inbody, 0x00); - if (body_size != expected_body_size) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); - } - in_ctl_code = IVAL(inbody, 0x04); in_file_id_persistent = BVAL(inbody, 0x08); in_file_id_volatile = BVAL(inbody, 0x10); @@ -76,7 +68,7 @@ NTSTATUS smbd_smb2_request_process_ioctl(struct smbd_smb2_request *req) in_max_output_length = IVAL(inbody, 0x2C); in_flags = IVAL(inbody, 0x30); - if (in_input_offset != (SMB2_HDR_BODY + (body_size & 0xFFFFFFFE))) { + if (in_input_offset != (SMB2_HDR_BODY + req->in.vector[i+1].iov_len)) { return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); } -- 1.7.3.1 From 63629ae4d6f8e5640b5d46044ff61f2365246ccc Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Sep 2011 14:01:43 +0200 Subject: [PATCH 12/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_keepalive.c metze (cherry picked from commit 22d479f75794b7c5fcac2fd47fbfd767700507d6) --- source3/smbd/smb2_keepalive.c | 17 ++++------------- 1 files changed, 4 insertions(+), 13 deletions(-) diff --git a/source3/smbd/smb2_keepalive.c b/source3/smbd/smb2_keepalive.c index a830260..24a4f8e 100644 --- a/source3/smbd/smb2_keepalive.c +++ b/source3/smbd/smb2_keepalive.c @@ -25,21 +25,12 @@ NTSTATUS smbd_smb2_request_process_keepalive(struct smbd_smb2_request *req) { - const uint8_t *inbody; - int i = req->current_idx; DATA_BLOB outbody; - size_t expected_body_size = 0x04; - size_t body_size; + NTSTATUS status; - if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); - } - - inbody = (const uint8_t *)req->in.vector[i+1].iov_base; - - body_size = SVAL(inbody, 0x00); - if (body_size != expected_body_size) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); + status = smbd_smb2_request_verify_sizes(req, 0x04); + if (!NT_STATUS_IS_OK(status)) { + return smbd_smb2_request_error(req, status); } /* TODO: update some time stamps */ -- 1.7.3.1 From 7b328b72d4e5b9bf96ed1694c2cb3a6813de5dde Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Sep 2011 14:01:43 +0200 Subject: [PATCH 13/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_lock.c metze (cherry picked from commit a358eee2d8670d4a1675e82562fa704fa45a71e6) --- source3/smbd/smb2_lock.c | 16 +++++----------- 1 files changed, 5 insertions(+), 11 deletions(-) diff --git a/source3/smbd/smb2_lock.c b/source3/smbd/smb2_lock.c index fce3c7c..28612ae 100644 --- a/source3/smbd/smb2_lock.c +++ b/source3/smbd/smb2_lock.c @@ -58,8 +58,6 @@ NTSTATUS smbd_smb2_request_process_lock(struct smbd_smb2_request *req) const uint8_t *inhdr; const uint8_t *inbody; const int i = req->current_idx; - size_t expected_body_size = 0x30; - size_t body_size; uint32_t in_smbpid; uint16_t in_lock_count; uint64_t in_file_id_persistent; @@ -68,19 +66,15 @@ NTSTATUS smbd_smb2_request_process_lock(struct smbd_smb2_request *req) struct tevent_req *subreq; const uint8_t *lock_buffer; uint16_t l; + NTSTATUS status; - inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; - if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); + status = smbd_smb2_request_verify_sizes(req, 0x30); + if (!NT_STATUS_IS_OK(status)) { + return smbd_smb2_request_error(req, status); } - + inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; inbody = (const uint8_t *)req->in.vector[i+1].iov_base; - body_size = SVAL(inbody, 0x00); - if (body_size != expected_body_size) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); - } - in_smbpid = IVAL(inhdr, SMB2_HDR_PID); in_lock_count = CVAL(inbody, 0x02); -- 1.7.3.1 From deff5218dac2d6f071c89166dbd3334d07dcd98f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Sep 2011 14:01:43 +0200 Subject: [PATCH 14/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_notify.c metze (cherry picked from commit c6480366e551d1dc683c2648bd897bdc7c1b90df) --- source3/smbd/smb2_notify.c | 16 ++++------------ 1 files changed, 4 insertions(+), 12 deletions(-) diff --git a/source3/smbd/smb2_notify.c b/source3/smbd/smb2_notify.c index 9e377ce..a8b1eb4 100644 --- a/source3/smbd/smb2_notify.c +++ b/source3/smbd/smb2_notify.c @@ -47,11 +47,9 @@ static NTSTATUS smbd_smb2_notify_recv(struct tevent_req *req, static void smbd_smb2_request_notify_done(struct tevent_req *subreq); NTSTATUS smbd_smb2_request_process_notify(struct smbd_smb2_request *req) { - const uint8_t *inhdr; + NTSTATUS status; const uint8_t *inbody; int i = req->current_idx; - size_t expected_body_size = 0x20; - size_t body_size; uint16_t in_flags; uint32_t in_output_buffer_length; uint64_t in_file_id_persistent; @@ -59,18 +57,12 @@ NTSTATUS smbd_smb2_request_process_notify(struct smbd_smb2_request *req) uint64_t in_completion_filter; struct tevent_req *subreq; - inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; - if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); + status = smbd_smb2_request_verify_sizes(req, 0x20); + if (!NT_STATUS_IS_OK(status)) { + return smbd_smb2_request_error(req, status); } - inbody = (const uint8_t *)req->in.vector[i+1].iov_base; - body_size = SVAL(inbody, 0x00); - if (body_size != expected_body_size) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); - } - in_flags = SVAL(inbody, 0x02); in_output_buffer_length = IVAL(inbody, 0x04); in_file_id_persistent = BVAL(inbody, 0x08); -- 1.7.3.1 From c6ee9e882cbf85edd0554ad39fb84ccef9eb3d10 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Sep 2011 14:01:43 +0200 Subject: [PATCH 15/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_read.c metze (cherry picked from commit f3a8d65bdfe496f080a74eb7104500bd8e2b0179) --- source3/smbd/smb2_read.c | 16 +++++----------- 1 files changed, 5 insertions(+), 11 deletions(-) diff --git a/source3/smbd/smb2_read.c b/source3/smbd/smb2_read.c index a88781e..89fc420 100644 --- a/source3/smbd/smb2_read.c +++ b/source3/smbd/smb2_read.c @@ -44,11 +44,10 @@ static NTSTATUS smbd_smb2_read_recv(struct tevent_req *req, static void smbd_smb2_request_read_done(struct tevent_req *subreq); NTSTATUS smbd_smb2_request_process_read(struct smbd_smb2_request *req) { + NTSTATUS status; const uint8_t *inhdr; const uint8_t *inbody; int i = req->current_idx; - size_t expected_body_size = 0x31; - size_t body_size; uint32_t in_smbpid; uint32_t in_length; uint64_t in_offset; @@ -58,18 +57,13 @@ NTSTATUS smbd_smb2_request_process_read(struct smbd_smb2_request *req) uint32_t in_remaining_bytes; struct tevent_req *subreq; - inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; - if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); + status = smbd_smb2_request_verify_sizes(req, 0x31); + if (!NT_STATUS_IS_OK(status)) { + return smbd_smb2_request_error(req, status); } - + inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; inbody = (const uint8_t *)req->in.vector[i+1].iov_base; - body_size = SVAL(inbody, 0x00); - if (body_size != expected_body_size) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); - } - in_smbpid = IVAL(inhdr, SMB2_HDR_PID); in_length = IVAL(inbody, 0x04); -- 1.7.3.1 From f1a27ab30771afd6535da984f1b31bb8aa2918bd Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Sep 2011 14:01:43 +0200 Subject: [PATCH 16/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_setinfo.c metze (cherry picked from commit 3643a05ba63ac5d8466dc8391b5d05efeedb5ac4) --- source3/smbd/smb2_setinfo.c | 18 +++++------------- 1 files changed, 5 insertions(+), 13 deletions(-) diff --git a/source3/smbd/smb2_setinfo.c b/source3/smbd/smb2_setinfo.c index 96b44aa..2d39f11 100644 --- a/source3/smbd/smb2_setinfo.c +++ b/source3/smbd/smb2_setinfo.c @@ -39,11 +39,9 @@ static NTSTATUS smbd_smb2_setinfo_recv(struct tevent_req *req); static void smbd_smb2_request_setinfo_done(struct tevent_req *subreq); NTSTATUS smbd_smb2_request_process_setinfo(struct smbd_smb2_request *req) { - const uint8_t *inhdr; + NTSTATUS status; const uint8_t *inbody; int i = req->current_idx; - size_t expected_body_size = 0x21; - size_t body_size; uint8_t in_info_type; uint8_t in_file_info_class; uint16_t in_input_buffer_offset; @@ -54,18 +52,12 @@ NTSTATUS smbd_smb2_request_process_setinfo(struct smbd_smb2_request *req) uint64_t in_file_id_volatile; struct tevent_req *subreq; - inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; - if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); + status = smbd_smb2_request_verify_sizes(req, 0x21); + if (!NT_STATUS_IS_OK(status)) { + return smbd_smb2_request_error(req, status); } - inbody = (const uint8_t *)req->in.vector[i+1].iov_base; - body_size = SVAL(inbody, 0x00); - if (body_size != expected_body_size) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); - } - in_info_type = CVAL(inbody, 0x02); in_file_info_class = CVAL(inbody, 0x03); in_input_buffer_length = IVAL(inbody, 0x04); @@ -78,7 +70,7 @@ NTSTATUS smbd_smb2_request_process_setinfo(struct smbd_smb2_request *req) if (in_input_buffer_offset == 0 && in_input_buffer_length == 0) { /* This is ok */ } else if (in_input_buffer_offset != - (SMB2_HDR_BODY + (body_size & 0xFFFFFFFE))) { + (SMB2_HDR_BODY + req->in.vector[i+1].iov_len)) { return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); } -- 1.7.3.1 From 3a67bac8986f3bf1fc0b3e444d26253fdc7c17d9 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Sep 2011 14:01:43 +0200 Subject: [PATCH 17/23] s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_write.c metze (cherry picked from commit 1a726b88ec74962d0317740bbdf576ddcffb52bc) --- source3/smbd/smb2_write.c | 18 ++++++------------ 1 files changed, 6 insertions(+), 12 deletions(-) diff --git a/source3/smbd/smb2_write.c b/source3/smbd/smb2_write.c index c0cba804..0202098 100644 --- a/source3/smbd/smb2_write.c +++ b/source3/smbd/smb2_write.c @@ -39,11 +39,10 @@ static NTSTATUS smbd_smb2_write_recv(struct tevent_req *req, static void smbd_smb2_request_write_done(struct tevent_req *subreq); NTSTATUS smbd_smb2_request_process_write(struct smbd_smb2_request *req) { + NTSTATUS status; const uint8_t *inhdr; const uint8_t *inbody; int i = req->current_idx; - size_t expected_body_size = 0x31; - size_t body_size; uint32_t in_smbpid; uint16_t in_data_offset; uint32_t in_data_length; @@ -54,18 +53,13 @@ NTSTATUS smbd_smb2_request_process_write(struct smbd_smb2_request *req) uint32_t in_flags; struct tevent_req *subreq; - inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; - if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); + status = smbd_smb2_request_verify_sizes(req, 0x31); + if (!NT_STATUS_IS_OK(status)) { + return smbd_smb2_request_error(req, status); } - + inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; inbody = (const uint8_t *)req->in.vector[i+1].iov_base; - body_size = SVAL(inbody, 0x00); - if (body_size != expected_body_size) { - return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); - } - in_smbpid = IVAL(inhdr, SMB2_HDR_PID); in_data_offset = SVAL(inbody, 0x02); @@ -75,7 +69,7 @@ NTSTATUS smbd_smb2_request_process_write(struct smbd_smb2_request *req) in_file_id_volatile = BVAL(inbody, 0x18); in_flags = IVAL(inbody, 0x2C); - if (in_data_offset != (SMB2_HDR_BODY + (body_size & 0xFFFFFFFE))) { + if (in_data_offset != (SMB2_HDR_BODY + req->in.vector[i+1].iov_len)) { return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); } -- 1.7.3.1 From d29ac516b65c5fa08adfb603b9426806244d178e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Sep 2011 14:14:52 +0200 Subject: [PATCH 18/23] s3:smb2_server: return BAD_NETWORK_NAME if the path is terminated in SMB2_TCON metze (cherry picked from commit 68b33aa61ac393c2737969f8449adce3e3096d73) --- source3/smbd/smb2_tcon.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c index 08b5b1e..8644e56 100644 --- a/source3/smbd/smb2_tcon.c +++ b/source3/smbd/smb2_tcon.c @@ -81,6 +81,14 @@ NTSTATUS smbd_smb2_request_process_tcon(struct smbd_smb2_request *req) return smbd_smb2_request_error(req, NT_STATUS_ILLEGAL_CHARACTER); } + if (in_path_buffer.length == 0) { + in_path_string_size = 0; + } + + if (strlen(in_path_string) != in_path_string_size) { + return smbd_smb2_request_error(req, NT_STATUS_BAD_NETWORK_NAME); + } + status = smbd_smb2_tree_connect(req, in_path_string, &out_share_type, &out_share_flags, -- 1.7.3.1 From 94f754c9d2cb5459c4bd55165713f98f6fde5fec Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Sep 2011 14:14:52 +0200 Subject: [PATCH 19/23] s3:smb2_server: return OBJECT_NAME_INVALID if the path is terminated in SMB2_CREATE metze (cherry picked from commit 1bc93c2605e14104237bb100db1d8acb1e7fe389) --- source3/smbd/smb2_create.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) diff --git a/source3/smbd/smb2_create.c b/source3/smbd/smb2_create.c index 4b19e0c..fb698f0 100644 --- a/source3/smbd/smb2_create.c +++ b/source3/smbd/smb2_create.c @@ -212,6 +212,14 @@ NTSTATUS smbd_smb2_request_process_create(struct smbd_smb2_request *smb2req) return smbd_smb2_request_error(smb2req, NT_STATUS_ILLEGAL_CHARACTER); } + if (in_name_buffer.length == 0) { + in_name_string_size = 0; + } + + if (strlen(in_name_string) != in_name_string_size) { + return smbd_smb2_request_error(smb2req, NT_STATUS_OBJECT_NAME_INVALID); + } + ZERO_STRUCT(in_context_blobs); status = smb2_create_blob_parse(smb2req, in_context_buffer, &in_context_blobs); if (!NT_STATUS_IS_OK(status)) { -- 1.7.3.1 From 5022c9f69b618cf5804634cfc0d676223fcae69d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Sep 2011 14:14:52 +0200 Subject: [PATCH 20/23] s3:smb2_server: return OBJECT_NAME_INVALID if the path is terminated in SMB2_FIND/QUERY_DIRECTORY metze Autobuild-User: Stefan Metzmacher Autobuild-Date: Wed Sep 7 12:15:51 CEST 2011 on sn-devel-104 (cherry picked from commit 9bc4decc1cba701926fc8081c3903aac754a6f51) --- source3/smbd/smb2_find.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) diff --git a/source3/smbd/smb2_find.c b/source3/smbd/smb2_find.c index 85e0126..4a49f2a 100644 --- a/source3/smbd/smb2_find.c +++ b/source3/smbd/smb2_find.c @@ -107,6 +107,14 @@ NTSTATUS smbd_smb2_request_process_find(struct smbd_smb2_request *req) return smbd_smb2_request_error(req, NT_STATUS_ILLEGAL_CHARACTER); } + if (in_file_name_buffer.length == 0) { + in_file_name_string_size = 0; + } + + if (strlen(in_file_name_string) != in_file_name_string_size) { + return smbd_smb2_request_error(req, NT_STATUS_OBJECT_NAME_INVALID); + } + if (req->compat_chain_fsp) { /* skip check */ } else if (in_file_id_persistent != in_file_id_volatile) { -- 1.7.3.1 From 80e2a33b56db29e2e984f7f0f372cecd4ca00daa Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 14 Sep 2011 13:04:28 +0200 Subject: [PATCH 21/23] s3:smb2_server: SMB2_OP_GETINFO doesn't require at least 1 dyn byte metze (cherry picked from commit 563fa741f6a34a1300c81a8474ca87346a9f5cca) --- source3/smbd/smb2_server.c | 14 +++++++++++++- 1 files changed, 13 insertions(+), 1 deletions(-) diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index 811e6d3..fbfe3e7 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -1128,9 +1128,12 @@ static NTSTATUS smbd_smb2_request_process_cancel(struct smbd_smb2_request *req) NTSTATUS smbd_smb2_request_verify_sizes(struct smbd_smb2_request *req, size_t expected_body_size) { + const uint8_t *inhdr; + uint16_t opcode; const uint8_t *inbody; int i = req->current_idx; size_t body_size; + size_t min_dyn_size = expected_body_size & 0x00000001; /* * The following should be checked already. @@ -1145,6 +1148,15 @@ NTSTATUS smbd_smb2_request_verify_sizes(struct smbd_smb2_request *req, return NT_STATUS_INTERNAL_ERROR; } + inhdr = (const uint8_t *)req->in.vector[i+0].iov_base; + opcode = SVAL(inhdr, SMB2_HDR_OPCODE); + + switch (opcode) { + case SMB2_OP_GETINFO: + min_dyn_size = 0; + break; + } + /* * Now check the expected body size, * where the last byte might be in the @@ -1153,7 +1165,7 @@ NTSTATUS smbd_smb2_request_verify_sizes(struct smbd_smb2_request *req, if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { return NT_STATUS_INVALID_PARAMETER; } - if (req->in.vector[i+2].iov_len < (expected_body_size & 0x00000001)) { + if (req->in.vector[i+2].iov_len < min_dyn_size) { return NT_STATUS_INVALID_PARAMETER; } -- 1.7.3.1 From 89ecae2e0507572f194f7a3d62c29d7f531db91d Mon Sep 17 00:00:00 2001 From: David Disseldorp Date: Sun, 25 Sep 2011 23:39:07 +0200 Subject: [PATCH 22/23] s3-smb2_server: SMB2_OP_IOCTL doesn't require at least 1 dyn byte Signed-off-by: Stefan Metzmacher (cherry picked from commit 18482957daa2e2122ef39426a8fff167df3c9377) --- source3/smbd/smb2_server.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index fbfe3e7..0d22d84 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -1152,6 +1152,7 @@ NTSTATUS smbd_smb2_request_verify_sizes(struct smbd_smb2_request *req, opcode = SVAL(inhdr, SMB2_HDR_OPCODE); switch (opcode) { + case SMB2_OP_IOCTL: case SMB2_OP_GETINFO: min_dyn_size = 0; break; -- 1.7.3.1 From a9dae1554159ad68baedc8fb83f005c34fd9e912 Mon Sep 17 00:00:00 2001 From: David Disseldorp Date: Wed, 28 Sep 2011 14:45:42 +0200 Subject: [PATCH 23/23] s3-smb2_server: fix ioctl InputOffset checking Currently the InputOffset is always check to point to the input data buffer, regardless of whether input data is present. Signed-off-by: Stefan Metzmacher (cherry picked from commit dbcd59f46b0d2125dfb6eb82b3d92be228c6ae4b) --- source3/smbd/smb2_ioctl.c | 11 ++++++++++- 1 files changed, 10 insertions(+), 1 deletions(-) diff --git a/source3/smbd/smb2_ioctl.c b/source3/smbd/smb2_ioctl.c index 8f2a471..17b9154 100644 --- a/source3/smbd/smb2_ioctl.c +++ b/source3/smbd/smb2_ioctl.c @@ -68,7 +68,16 @@ NTSTATUS smbd_smb2_request_process_ioctl(struct smbd_smb2_request *req) in_max_output_length = IVAL(inbody, 0x2C); in_flags = IVAL(inbody, 0x30); - if (in_input_offset != (SMB2_HDR_BODY + req->in.vector[i+1].iov_len)) { + /* + * InputOffset (4 bytes): The offset, in bytes, from the beginning of + * the SMB2 header to the input data buffer. If no input data is + * required for the FSCTL/IOCTL command being issued, the client SHOULD + * set this value to 0.<49> + * <49> If no input data is required for the FSCTL/IOCTL command being + * issued, Windows-based clients set this field to any value. + */ + if ((in_input_length > 0) + && (in_input_offset != (SMB2_HDR_BODY + req->in.vector[i+1].iov_len))) { return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); } -- 1.7.3.1