[Samba] Problem with Win95 + DFS clients (fwd)

is at tracetec.com.my is at tracetec.com.my
Fri Sep 5 12:14:26 GMT 2003 

Hi,

I've found a problem with samba when printing from a client running win95 
+ DFS. The print fails with a segmentation fault. The problem is that 
Win95 does not return the proper file_fsp( smb_vwv0) when doing an IOCTL 
request.This causes the file_fsp call in reply_ioctl (smbd/reply.c)  to 
fail cause a segmentation fault.

I do not understand how samba work, but here is my working patch for this. I 
just copied the fid from the last open_And_X call and write it into inbuf 
if the file_fsp is different.

Attached here is the diff. The patch is only on 
/smbd/reply.c  

Thank you.
 
Iskantharajah T

-------------- next part --------------
--- ./reply.c	Mon Apr  7 09:54:00 2003
+++ reply.c.new	Fri Sep  5 19:38:51 2003
@@ -45,6 +45,10 @@
  Report a possible attack via the password buffer overflow bug.
 ****************************************************************************/
 
+/*iskantha Problem with win95 + DFS*/
+static int hack_fid;
+
+
 static void overflow_attack(int len)
 {
 	if( DEBUGLVL( 0 ) ) {
@@ -429,8 +433,26 @@
 	uint32 ioctl_code = (device << 16) + function;
 	int replysize, outsize;
 	char *p;
+	int temp = 0;
 	files_struct *fsp = file_fsp(inbuf,smb_vwv0);
-	START_PROFILE(SMBioctl);
+        int fid = SVAL(inbuf,smb_vwv0);
+
+        DEBUG ( 4, ( " smbvwv0 before = %i ( 0x%x )\n", fid, fid));
+	/* hack for Win95 + dfs . Does not give proper value of fid in request 
+            Value taken from last open_and_X */
+        if ( fid != hack_fid ) { 
+		SSVAL(inbuf, smb_vwv0, hack_fid );
+		fsp = file_fsp(inbuf,smb_vwv0);
+		};
+ 	fid = SVAL(inbuf,smb_vwv0);
+	DEBUG ( 4, ( " smbvwv0 after = %i ( 0x%x )\n", fid, fid));
+ 
+       /* iskantha - hack fid */
+        if ( fsp == NULL ) {
+		DEBUG( 0, ("FSP still null"));
+		};
+
+        START_PROFILE(SMBioctl);
 
 	DEBUG(4, ("Received IOCTL (code 0x%x)\n", ioctl_code));
 
@@ -453,7 +475,10 @@
 	switch (ioctl_code)
 	{
 	    case IOCTL_QUERY_JOB_INFO:		    
-		SSVAL(p,0,fsp->print_jobid);             /* Job number */
+	        if ( fsp != NULL ) 
+		    SSVAL(p,0,fsp->print_jobid);             /* Job number */
+		else
+		    SSVAL(p,0,temp); 
 		StrnCpy(p+2, global_myname, 15);         /* Our NetBIOS name */
 		StrnCpy(p+18, lp_servicename(SNUM(conn)), 13); /* Service name */
 		break;
@@ -1782,6 +1807,11 @@
   SSVAL(outbuf,smb_vwv11,smb_action);
 
   END_PROFILE(SMBopenX);
+  /* iskantha : attach hack_fid to last fnum */
+  hack_fid = fsp->fnum;
+  DEBUG(4,("open_and_X connect: FID = %d ( %x ) hack_fid = %d \n",
+			 fsp->fnum, fsp->fnum , hack_fid ));      
+
   return chain_reply(inbuf,outbuf,length,bufsize);
 }

More information about the samba mailing list