From a693ca401bb896918a5bb952a531cfc6b657228a Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 13 Mar 2013 17:19:32 -0700 Subject: [PATCH 1/2] Ensure we explicitly ignore 0xFFFF value for upper length. Signed-off-by: Jeremy Allison --- source3/smbd/reply.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index a708fd8..5dbd6b4 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -3756,6 +3756,13 @@ void reply_read_and_X(struct smb_request *req) if (global_client_caps & CAP_LARGE_READX) { size_t upper_size = SVAL(req->vwv+7, 0); + /* + * Some clients send this as an explicit invalid + * value. + */ + if (upper_size == 0xFFFF) { + upper_size = 0; + } smb_maxcnt |= (upper_size<<16); if (upper_size > 1) { /* Can't do this on a chained packet. */ -- 1.8.1.3 From 049dd27fe65ff1a6bc7caf98dd87af164824856b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 13 Mar 2013 17:20:32 -0700 Subject: [PATCH 2/2] Correctly identify big_readX. We can't just look for the upper length value being greater than 1, as the actual limit is 0x1FFFF minus the SMB header and VWV sizes. Signed-off-by: Jeremy Allison --- source3/smbd/reply.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 5dbd6b4..06f2644 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -3764,7 +3764,7 @@ void reply_read_and_X(struct smb_request *req) upper_size = 0; } smb_maxcnt |= (upper_size<<16); - if (upper_size > 1) { + if (smb_maxcnt > (0x1FFFF - (smb_size -4 + 12*2))) { /* Can't do this on a chained packet. */ if ((CVAL(req->vwv+0, 0) != 0xFF)) { reply_nterror(req, NT_STATUS_NOT_SUPPORTED); -- 1.8.1.3