[SCM] Samba Shared Repository - branch master updated

Stefan Metzmacher metze at samba.org
Tue Nov 8 09:02:03 MST 2011 

The branch, master has been updated
       via  95595dd s3:libsmb: fix cli_write_and_x() against OS/2 print shares (bug #5326)
       via  0fb4991 s3:libsmb: correctly parse the LANMAN2.1 negprot response from OS/2 (bug #8584)
       via  9a3fe3a s3:libsmb: key_len is 8bit only in the NT1 case
      from  26d736f s3: Remove two unused variables

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 95595dd93fd04999fcf56ecaab7c29b064d021f8
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Nov 8 08:25:16 2011 +0100

    s3:libsmb: fix cli_write_and_x() against OS/2 print shares (bug #5326)
    
    Print shares doesn't support CAP_LARGE_WRITEX, while it's negotiated
    by the file server part.
    
    metze
    
    Autobuild-User: Stefan Metzmacher <metze at samba.org>
    Autobuild-Date: Tue Nov  8 17:01:36 CET 2011 on sn-devel-104

commit 0fb4991116fe07956ad2355121d7b580486b9a45
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Nov 8 08:14:31 2011 +0100

    s3:libsmb: correctly parse the LANMAN2.1 negprot response from OS/2 (bug #8584)
    
    metze

commit 9a3fe3a3292a780743df9dc4afd00864755d3dfd
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Nov 8 08:13:27 2011 +0100

    s3:libsmb: key_len is 8bit only in the NT1 case
    
    metze

-----------------------------------------------------------------------

Summary of changes:
 source3/libsmb/cliconnect.c   |   36 +++++++++++++++++++++++++++++++-----
 source3/libsmb/clireadwrite.c |   19 +++++++++++++++----
 2 files changed, 46 insertions(+), 9 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index af6c51b..8361715 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -2666,7 +2666,7 @@ static void cli_negprot_done(struct tevent_req *subreq)
 		bool server_allowed;
 		const char *server_signing = NULL;
 		bool ok;
-		uint16_t key_len;
+		uint8_t key_len;
 
 		if (wct != 0x11) {
 			tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
@@ -2802,6 +2802,10 @@ static void cli_negprot_done(struct tevent_req *subreq)
 		}
 
 	} else if (protocol >= PROTOCOL_LANMAN1) {
+		DATA_BLOB blob1;
+		ssize_t ret = 0;
+		uint16_t key_len;
+
 		if (wct != 0x0D) {
 			tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
 			return;
@@ -2810,23 +2814,45 @@ static void cli_negprot_done(struct tevent_req *subreq)
 		server_security_mode = SVAL(vwv + 1, 0);
 		server_max_xmit = SVAL(vwv + 2, 0);
 		server_max_mux = SVAL(vwv + 3, 0);
+		server_readbraw = ((SVAL(vwv + 5, 0) & 0x1) != 0);
+		server_writebraw = ((SVAL(vwv + 5, 0) & 0x2) != 0);
 		server_session_key = IVAL(vwv + 6, 0);
 		server_time_zone = SVALS(vwv + 10, 0);
 		server_time_zone *= 60;
 		/* this time is converted to GMT by make_unix_date */
 		server_system_time = make_unix_date(
 			(char *)(vwv + 8), server_time_zone);
-		server_readbraw = ((SVAL(vwv + 5, 0) & 0x1) != 0);
-		server_writebraw = ((SVAL(vwv + 5, 0) & 0x2) != 0);
+		key_len = SVAL(vwv + 11, 0);
 
-		if (num_bytes != 0 && num_bytes != 8) {
+		if (num_bytes < key_len) {
 			tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
 			return;
 		}
 
-		if (num_bytes == 8) {
+		if (key_len != 0 && key_len != 8) {
+			tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+			return;
+		}
+
+		if (key_len == 8) {
 			memcpy(server_challenge, bytes, 8);
 		}
+
+		blob1 = data_blob_const(bytes+key_len, num_bytes-key_len);
+		if (blob1.length > 0) {
+			ret = pull_string_talloc(state,
+						 (char *)inbuf,
+						 SVAL(inbuf, smb_flg2),
+						 &server_workgroup,
+						 blob1.data,
+						 blob1.length,
+						 STR_TERMINATE|
+						 STR_ASCII);
+			if (ret == -1) {
+				tevent_req_oom(req);
+				return;
+			}
+		}
 	} else {
 		/* the old core protocol */
 		server_time_zone = get_time_zone(time(NULL));
diff --git a/source3/libsmb/clireadwrite.c b/source3/libsmb/clireadwrite.c
index e8c9017..79624ec 100644
--- a/source3/libsmb/clireadwrite.c
+++ b/source3/libsmb/clireadwrite.c
@@ -850,7 +850,7 @@ struct tevent_req *cli_write_andx_create(TALLOC_CTX *mem_ctx,
 		return NULL;
 	}
 
-	size = MIN(size, max_write);
+	state->size = MIN(size, max_write);
 
 	vwv = state->vwv;
 
@@ -862,8 +862,8 @@ struct tevent_req *cli_write_andx_create(TALLOC_CTX *mem_ctx,
 	SIVAL(vwv+5, 0, 0);
 	SSVAL(vwv+7, 0, mode);
 	SSVAL(vwv+8, 0, 0);
-	SSVAL(vwv+9, 0, (size>>16));
-	SSVAL(vwv+10, 0, size);
+	SSVAL(vwv+9, 0, (state->size>>16));
+	SSVAL(vwv+10, 0, state->size);
 
 	SSVAL(vwv+11, 0,
 	      cli_smb_wct_ofs(reqs_before, num_reqs_before)
@@ -933,7 +933,18 @@ static void cli_write_andx_done(struct tevent_req *subreq)
 		return;
 	}
 	state->written = SVAL(vwv+2, 0);
-	state->written |= SVAL(vwv+4, 0)<<16;
+	if (state->size > UINT16_MAX) {
+		/*
+		 * It is important that we only set the
+		 * high bits only if we asked for a large write.
+		 *
+		 * OS/2 print shares get this wrong and may send
+		 * invalid values.
+		 *
+		 * See bug #5326.
+		 */
+		state->written |= SVAL(vwv+4, 0)<<16;
+	}
 	tevent_req_done(req);
 }
 


-- 
Samba Shared Repository

More information about the samba-cvs mailing list