[SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha8-843-g3854b5e

Andrew Tridgell tridge at samba.org
Wed Aug 5 04:24:28 MDT 2009


The branch, master has been updated
       via  3854b5e6146ff8efeb4379a502bb083cbaa05ce4 (commit)
       via  67b6f5784ae8d2e5c5b783b24a4b0ff555a28d44 (commit)
      from  cc74f213248f910c1c7908b23be07485752e85b9 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 3854b5e6146ff8efeb4379a502bb083cbaa05ce4
Author: Andrew Tridgell <tridge at samba.org>
Date:   Wed Aug 5 20:23:12 2009 +1000

    changed BCC handling for SMBwriteX to handle broken MacOSX client
    
    see bug #6610
    
    The MacOSX SMB client sets the BCC value in SMBwriteX calls to zero
    instead of the correct size. Checking against WindowsXP, I've found
    that Windows uses the maximum of the computed buffer size and the
    given BCC value. I've changed Samba4 to do the same to allow MacOSX to
    work.
    
    I've limited this change to non-chained packets to ensure we don't get
    the possibility of exploits based on overlapping chained requests

commit 67b6f5784ae8d2e5c5b783b24a4b0ff555a28d44
Author: Andrew Tridgell <tridge at samba.org>
Date:   Wed Aug 5 20:19:36 2009 +1000

    on buffer overflow windows gives SMBSRV:ERRerror here

-----------------------------------------------------------------------

Summary of changes:
 source4/smb_server/smb/receive.c |   21 ++++++++-------------
 source4/smb_server/smb/reply.c   |    2 +-
 2 files changed, 9 insertions(+), 14 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/smb_server/smb/receive.c b/source4/smb_server/smb/receive.c
index 03631f8..9a03909 100644
--- a/source4/smb_server/smb/receive.c
+++ b/source4/smb_server/smb/receive.c
@@ -407,19 +407,14 @@ NTSTATUS smbsrv_recv_smb_request(void *private_data, DATA_BLOB blob)
 		req->in.data = req->in.vwv + VWV(req->in.wct) + 2;
 		req->in.data_size = SVAL(req->in.vwv, VWV(req->in.wct));
 
-		/* the bcc length is only 16 bits, but some packets
-		   (such as SMBwriteX) can be much larger than 64k. We
-		   detect this by looking for a large non-chained NBT
-		   packet (at least 64k bigger than what is
-		   specified). If it is detected then the NBT size is
-		   used instead of the bcc size */
-		if (req->in.data_size + 0x10000 <= 
-		    req->in.size - PTR_DIFF(req->in.data, req->in.buffer) &&
-			( message_flags(command) & LARGE_REQUEST) &&
-			( !(message_flags(command) & AND_X) ||
-		      (req->in.wct < 1 || SVAL(req->in.vwv, VWV(0)) == SMB_CHAIN_NONE) )
-			) {
-			/* its an oversized packet! fun for all the family */
+		/* special handling for oversize calls. Windows seems
+		   to take the maximum of the BCC value and the
+		   computed buffer size. This handles oversized writeX
+		   calls, and possibly oversized SMBtrans calls */
+		if ((message_flags(command) & LARGE_REQUEST) &&
+		    ( !(message_flags(command) & AND_X) ||
+		      (req->in.wct < 1 || SVAL(req->in.vwv, VWV(0)) == SMB_CHAIN_NONE)) &&
+		    req->in.data_size < req->in.size - PTR_DIFF(req->in.data,req->in.buffer)) {
 			req->in.data_size = req->in.size - PTR_DIFF(req->in.data,req->in.buffer);
 		}
 	}
diff --git a/source4/smb_server/smb/reply.c b/source4/smb_server/smb/reply.c
index 0433d35..104caca 100644
--- a/source4/smb_server/smb/reply.c
+++ b/source4/smb_server/smb/reply.c
@@ -1063,7 +1063,7 @@ void smbsrv_reply_write_and_X(struct smbsrv_request *req)
 
 	/* make sure the data is in bounds */
 	if (req_data_oob(&req->in.bufinfo, io->writex.in.data, io->writex.in.count)) {
-		smbsrv_send_error(req, NT_STATUS_FOOBAR);
+		smbsrv_send_error(req, NT_STATUS_DOS(ERRSRV, ERRerror));
 		return;
 	}
 


-- 
Samba Shared Repository


More information about the samba-cvs mailing list