[SCM] Samba Shared Repository - branch v3-6-test updated
Karolin Seeger
kseeger at samba.org
Wed Oct 12 12:48:13 MDT 2011
The branch, v3-6-test has been updated
via 18d7c0c s3-smb2_server: fix ioctl InputOffset checking
via e68fae4 s3-smb2_server: SMB2_OP_IOCTL doesn't require at least 1 dyn byte
via 349a7a5 s3:smb2_server: SMB2_OP_GETINFO doesn't require at least 1 dyn byte
via fdb15df s3:smb2_server: return OBJECT_NAME_INVALID if the path is terminated in SMB2_FIND/QUERY_DIRECTORY
via 52d0bde s3:smb2_server: return OBJECT_NAME_INVALID if the path is terminated in SMB2_CREATE
via fb1c618 s3:smb2_server: return BAD_NETWORK_NAME if the path is terminated in SMB2_TCON
via 10e5d1c s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_write.c
via 56b765a s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_setinfo.c
via ecfbe10 s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_read.c
via c9e510c s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_notify.c
via 12869c0 s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_lock.c
via 0d217c5 s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_keepalive.c
via 73aa7ee s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_ioctl.c
via f45348e s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_getinfo.c
via 2bd03ad s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_flush.c
via 5ec26db s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_find.c
via 4e48179 s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_create.c
via 27f3f26 s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_close.c
via b4190c3 s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_break.c
via 32e0306 s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_tcon.c
via fd01ec1 s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_sesssetup.c
via f32047b s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_negprot.c
via fd6abe0 s3:smb2_server: add smbd_smb2_request_verify_sizes()
from 762811d s3:smb2_create: fix allocation size return value when opening existing files
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test
- Log -----------------------------------------------------------------
commit 18d7c0cd25b1fe09a361a332a9191c92bb5a315e
Author: David Disseldorp <ddiss at suse.de>
Date: Wed Sep 28 14:45:42 2011 +0200
s3-smb2_server: fix ioctl InputOffset checking
Currently the InputOffset is always check to point to the input data
buffer, regardless of whether input data is present.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit dbcd59f46b0d2125dfb6eb82b3d92be228c6ae4b)
The last 22 patches addres bug #8520 (Fix SMB2 SMB2_OP_GETINFO and
SMB2_OP_IOCTL parsing requirements).
commit e68fae451f4e1feb48484d0e28ed5fad1df7ca55
Author: David Disseldorp <ddiss at suse.de>
Date: Sun Sep 25 23:39:07 2011 +0200
s3-smb2_server: SMB2_OP_IOCTL doesn't require at least 1 dyn byte
Signed-off-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 18482957daa2e2122ef39426a8fff167df3c9377)
commit 349a7a5005609fadbec71d7a033b95757f23a59a
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 14 13:04:28 2011 +0200
s3:smb2_server: SMB2_OP_GETINFO doesn't require at least 1 dyn byte
metze
(cherry picked from commit 563fa741f6a34a1300c81a8474ca87346a9f5cca)
commit fdb15df44a5ee4101b9e0c9bcdd07e48f6ce24fc
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 6 14:14:52 2011 +0200
s3:smb2_server: return OBJECT_NAME_INVALID if the path is terminated in SMB2_FIND/QUERY_DIRECTORY
metze
Autobuild-User: Stefan Metzmacher <metze at samba.org>
Autobuild-Date: Wed Sep 7 12:15:51 CEST 2011 on sn-devel-104
(cherry picked from commit 9bc4decc1cba701926fc8081c3903aac754a6f51)
commit 52d0bde69a67c1a3a6798b496eec75ca1d3259f2
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 6 14:14:52 2011 +0200
s3:smb2_server: return OBJECT_NAME_INVALID if the path is terminated in SMB2_CREATE
metze
(cherry picked from commit 1bc93c2605e14104237bb100db1d8acb1e7fe389)
commit fb1c61880c962f26a28a45ffc9c8680edad65488
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 6 14:14:52 2011 +0200
s3:smb2_server: return BAD_NETWORK_NAME if the path is terminated in SMB2_TCON
metze
(cherry picked from commit 68b33aa61ac393c2737969f8449adce3e3096d73)
commit 10e5d1c6361fb309de0b2dd291deefb69c6506e6
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_write.c
metze
(cherry picked from commit 1a726b88ec74962d0317740bbdf576ddcffb52bc)
commit 56b765a8663f59d247f970af8273ba749f094cae
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_setinfo.c
metze
(cherry picked from commit 3643a05ba63ac5d8466dc8391b5d05efeedb5ac4)
commit ecfbe10edab6bd1a6a30cc4e1a19f3289d58455c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_read.c
metze
(cherry picked from commit f3a8d65bdfe496f080a74eb7104500bd8e2b0179)
commit c9e510cd3d509999d6a6ed813c2a4ebff7b5456c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_notify.c
metze
(cherry picked from commit c6480366e551d1dc683c2648bd897bdc7c1b90df)
commit 12869c065fe164e02425ef44f4879b11ea0e7baf
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_lock.c
metze
(cherry picked from commit a358eee2d8670d4a1675e82562fa704fa45a71e6)
commit 0d217c5f9c725926b6a58373af59e8bca3dd6edc
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_keepalive.c
metze
(cherry picked from commit 22d479f75794b7c5fcac2fd47fbfd767700507d6)
commit 73aa7eee9af008a5dad96d658c4d3d5b5148cce6
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_ioctl.c
metze
(cherry picked from commit 29b3601c028b8861102b1d988285c78fc17f3b8e)
commit f45348edea0b2ee8b397e7236dc7786cbce96c19
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_getinfo.c
metze
(cherry picked from commit 880eafd7e83ba326be7036605179e8de746f4312)
commit 2bd03ad79a4afcb419513185defdeb7aff69427b
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_flush.c
metze
(cherry picked from commit 440f702aa9a020f8cfe13037b7af1ba0dadf86f2)
commit 5ec26db056b7bb86be4a09f1999fadc383001d57
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_find.c
metze
(cherry picked from commit bc95ab99dc84fa6d567a7d4e803552363bbc07a9)
commit 4e4817930955228923f04540404786ff88ad14f8
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_create.c
metze
(cherry picked from commit 251815bfd395398857cb60c0b89710ddce7ab19f)
commit 27f3f2617a5de7797458b6d39ddf7ab6212d0949
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_close.c
metze
(cherry picked from commit e09b3940a769806dcc17d24079375f5d53eca26a)
commit b4190c336dc344f96c4bb837da1e7e923abffca5
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_break.c
metze
(cherry picked from commit 9da2f72d471460d9c953e9cee84c9cfa3611e89e)
commit 32e0306924ade89c67970c6714bd2033056b3792
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_tcon.c
metze
(cherry picked from commit 02f7c37e671c7950619c000b73c5a09ce31c68ac)
commit fd01ec18dc84b4d632bf9384705d72f2a970cf65
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_sesssetup.c
metze
(cherry picked from commit d280d9f945be2d658694c6d4503822e99dc953b5)
commit f32047b23d6e16e4cc75ae0b3beaf7b34307703c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 6 14:01:43 2011 +0200
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_negprot.c
metze
(cherry picked from commit 7ec3a35d2a67ca93a49094f07a12b0e37cec1661)
commit fd6abe0c92cb22d26615ea443e0ede288ab37a6e
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 3 14:50:48 2011 -0700
s3:smb2_server: add smbd_smb2_request_verify_sizes()
metze.
-----------------------------------------------------------------------
Summary of changes:
source3/smbd/globals.h | 3 ++
source3/smbd/smb2_break.c | 16 +++---------
source3/smbd/smb2_close.c | 15 ++---------
source3/smbd/smb2_create.c | 23 +++++++++--------
source3/smbd/smb2_find.c | 26 +++++++++---------
source3/smbd/smb2_flush.c | 16 +++---------
source3/smbd/smb2_getinfo.c | 18 +++---------
source3/smbd/smb2_ioctl.c | 27 ++++++++++---------
source3/smbd/smb2_keepalive.c | 17 +++---------
source3/smbd/smb2_lock.c | 16 +++--------
source3/smbd/smb2_negprot.c | 14 +++-------
source3/smbd/smb2_notify.c | 16 +++---------
source3/smbd/smb2_read.c | 16 +++--------
source3/smbd/smb2_server.c | 55 +++++++++++++++++++++++++++++++++++++++++
source3/smbd/smb2_sesssetup.c | 35 ++++++-------------------
source3/smbd/smb2_setinfo.c | 18 +++---------
source3/smbd/smb2_tcon.c | 40 ++++++++++++------------------
source3/smbd/smb2_write.c | 18 ++++---------
18 files changed, 171 insertions(+), 218 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h
index abeaed4..7033848 100644
--- a/source3/smbd/globals.h
+++ b/source3/smbd/globals.h
@@ -278,6 +278,9 @@ NTSTATUS smbd_smb2_request_check_tcon(struct smbd_smb2_request *req);
struct smb_request *smbd_smb2_fake_smb_request(struct smbd_smb2_request *req);
void remove_smb2_chained_fsp(files_struct *fsp);
+NTSTATUS smbd_smb2_request_verify_sizes(struct smbd_smb2_request *req,
+ size_t expected_body_size);
+
NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req);
NTSTATUS smbd_smb2_request_process_sesssetup(struct smbd_smb2_request *req);
NTSTATUS smbd_smb2_request_process_logoff(struct smbd_smb2_request *req);
diff --git a/source3/smbd/smb2_break.c b/source3/smbd/smb2_break.c
index 5d5ab41..ce583ac 100644
--- a/source3/smbd/smb2_break.c
+++ b/source3/smbd/smb2_break.c
@@ -36,28 +36,20 @@ static NTSTATUS smbd_smb2_oplock_break_recv(struct tevent_req *req,
static void smbd_smb2_request_oplock_break_done(struct tevent_req *subreq);
NTSTATUS smbd_smb2_request_process_break(struct smbd_smb2_request *req)
{
- const uint8_t *inhdr;
+ NTSTATUS status;
const uint8_t *inbody;
int i = req->current_idx;
- size_t expected_body_size = 0x18;
- size_t body_size;
uint8_t in_oplock_level;
uint64_t in_file_id_persistent;
uint64_t in_file_id_volatile;
struct tevent_req *subreq;
- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+ status = smbd_smb2_request_verify_sizes(req, 0x18);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(req, status);
}
-
inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
- body_size = SVAL(inbody, 0x00);
- if (body_size != expected_body_size) {
- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
- }
-
in_oplock_level = CVAL(inbody, 0x02);
if (in_oplock_level != SMB2_OPLOCK_LEVEL_NONE &&
diff --git a/source3/smbd/smb2_close.c b/source3/smbd/smb2_close.c
index 93ce5ba..ffe08cc 100644
--- a/source3/smbd/smb2_close.c
+++ b/source3/smbd/smb2_close.c
@@ -30,30 +30,21 @@ static NTSTATUS smbd_smb2_close(struct smbd_smb2_request *req,
NTSTATUS smbd_smb2_request_process_close(struct smbd_smb2_request *req)
{
- const uint8_t *inhdr;
const uint8_t *inbody;
int i = req->current_idx;
uint8_t *outhdr;
DATA_BLOB outbody;
- size_t expected_body_size = 0x18;
- size_t body_size;
uint16_t in_flags;
uint64_t in_file_id_persistent;
uint64_t in_file_id_volatile;
NTSTATUS status;
- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+ status = smbd_smb2_request_verify_sizes(req, 0x18);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(req, status);
}
-
inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
- body_size = SVAL(inbody, 0x00);
- if (body_size != expected_body_size) {
- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
- }
-
outbody = data_blob_talloc(req->out.vector, NULL, 0x3C);
if (outbody.data == NULL) {
return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
diff --git a/source3/smbd/smb2_create.c b/source3/smbd/smb2_create.c
index 5316100..a98422c 100644
--- a/source3/smbd/smb2_create.c
+++ b/source3/smbd/smb2_create.c
@@ -100,8 +100,6 @@ NTSTATUS smbd_smb2_request_process_create(struct smbd_smb2_request *smb2req)
{
const uint8_t *inbody;
int i = smb2req->current_idx;
- size_t expected_body_size = 0x39;
- size_t body_size;
uint8_t in_oplock_level;
uint32_t in_impersonation_level;
uint32_t in_desired_access;
@@ -127,17 +125,12 @@ NTSTATUS smbd_smb2_request_process_create(struct smbd_smb2_request *smb2req)
bool ok;
struct tevent_req *tsubreq;
- if (smb2req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
- return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER);
+ status = smbd_smb2_request_verify_sizes(smb2req, 0x39);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(smb2req, status);
}
-
inbody = (const uint8_t *)smb2req->in.vector[i+1].iov_base;
- body_size = SVAL(inbody, 0x00);
- if (body_size != expected_body_size) {
- return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER);
- }
-
in_oplock_level = CVAL(inbody, 0x03);
in_impersonation_level = IVAL(inbody, 0x04);
in_desired_access = IVAL(inbody, 0x18);
@@ -158,7 +151,7 @@ NTSTATUS smbd_smb2_request_process_create(struct smbd_smb2_request *smb2req)
* overlap
*/
- dyn_offset = SMB2_HDR_BODY + (body_size & 0xFFFFFFFE);
+ dyn_offset = SMB2_HDR_BODY + smb2req->in.vector[i+1].iov_len;
if (in_name_offset == 0 && in_name_length == 0) {
/* This is ok */
@@ -219,6 +212,14 @@ NTSTATUS smbd_smb2_request_process_create(struct smbd_smb2_request *smb2req)
return smbd_smb2_request_error(smb2req, NT_STATUS_ILLEGAL_CHARACTER);
}
+ if (in_name_buffer.length == 0) {
+ in_name_string_size = 0;
+ }
+
+ if (strlen(in_name_string) != in_name_string_size) {
+ return smbd_smb2_request_error(smb2req, NT_STATUS_OBJECT_NAME_INVALID);
+ }
+
ZERO_STRUCT(in_context_blobs);
status = smb2_create_blob_parse(smb2req, in_context_buffer, &in_context_blobs);
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/smbd/smb2_find.c b/source3/smbd/smb2_find.c
index 362dff4..4a49f2a 100644
--- a/source3/smbd/smb2_find.c
+++ b/source3/smbd/smb2_find.c
@@ -41,11 +41,9 @@ static NTSTATUS smbd_smb2_find_recv(struct tevent_req *req,
static void smbd_smb2_request_find_done(struct tevent_req *subreq);
NTSTATUS smbd_smb2_request_process_find(struct smbd_smb2_request *req)
{
- const uint8_t *inhdr;
+ NTSTATUS status;
const uint8_t *inbody;
int i = req->current_idx;
- size_t expected_body_size = 0x21;
- size_t body_size;
uint8_t in_file_info_class;
uint8_t in_flags;
uint32_t in_file_index;
@@ -60,18 +58,12 @@ NTSTATUS smbd_smb2_request_process_find(struct smbd_smb2_request *req)
struct tevent_req *subreq;
bool ok;
- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+ status = smbd_smb2_request_verify_sizes(req, 0x21);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(req, status);
}
-
inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
- body_size = SVAL(inbody, 0x00);
- if (body_size != expected_body_size) {
- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
- }
-
in_file_info_class = CVAL(inbody, 0x02);
in_flags = CVAL(inbody, 0x03);
in_file_index = IVAL(inbody, 0x04);
@@ -84,7 +76,7 @@ NTSTATUS smbd_smb2_request_process_find(struct smbd_smb2_request *req)
if (in_file_name_offset == 0 && in_file_name_length == 0) {
/* This is ok */
} else if (in_file_name_offset !=
- (SMB2_HDR_BODY + (body_size & 0xFFFFFFFE))) {
+ (SMB2_HDR_BODY + req->in.vector[i+1].iov_len)) {
return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
}
@@ -115,6 +107,14 @@ NTSTATUS smbd_smb2_request_process_find(struct smbd_smb2_request *req)
return smbd_smb2_request_error(req, NT_STATUS_ILLEGAL_CHARACTER);
}
+ if (in_file_name_buffer.length == 0) {
+ in_file_name_string_size = 0;
+ }
+
+ if (strlen(in_file_name_string) != in_file_name_string_size) {
+ return smbd_smb2_request_error(req, NT_STATUS_OBJECT_NAME_INVALID);
+ }
+
if (req->compat_chain_fsp) {
/* skip check */
} else if (in_file_id_persistent != in_file_id_volatile) {
diff --git a/source3/smbd/smb2_flush.c b/source3/smbd/smb2_flush.c
index c3f5a30..9b00eb2 100644
--- a/source3/smbd/smb2_flush.c
+++ b/source3/smbd/smb2_flush.c
@@ -33,27 +33,19 @@ static NTSTATUS smbd_smb2_flush_recv(struct tevent_req *req);
static void smbd_smb2_request_flush_done(struct tevent_req *subreq);
NTSTATUS smbd_smb2_request_process_flush(struct smbd_smb2_request *req)
{
- const uint8_t *inhdr;
+ NTSTATUS status;
const uint8_t *inbody;
int i = req->current_idx;
- size_t expected_body_size = 0x18;
- size_t body_size;
uint64_t in_file_id_persistent;
uint64_t in_file_id_volatile;
struct tevent_req *subreq;
- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+ status = smbd_smb2_request_verify_sizes(req, 0x18);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(req, status);
}
-
inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
- body_size = SVAL(inbody, 0x00);
- if (body_size != expected_body_size) {
- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
- }
-
in_file_id_persistent = BVAL(inbody, 0x08);
in_file_id_volatile = BVAL(inbody, 0x10);
diff --git a/source3/smbd/smb2_getinfo.c b/source3/smbd/smb2_getinfo.c
index 3c8c690..61e0cfa 100644
--- a/source3/smbd/smb2_getinfo.c
+++ b/source3/smbd/smb2_getinfo.c
@@ -44,11 +44,9 @@ static NTSTATUS smbd_smb2_getinfo_recv(struct tevent_req *req,
static void smbd_smb2_request_getinfo_done(struct tevent_req *subreq);
NTSTATUS smbd_smb2_request_process_getinfo(struct smbd_smb2_request *req)
{
- const uint8_t *inhdr;
+ NTSTATUS status;
const uint8_t *inbody;
int i = req->current_idx;
- size_t expected_body_size = 0x29;
- size_t body_size;
uint8_t in_info_type;
uint8_t in_file_info_class;
uint32_t in_output_buffer_length;
@@ -61,18 +59,12 @@ NTSTATUS smbd_smb2_request_process_getinfo(struct smbd_smb2_request *req)
uint64_t in_file_id_volatile;
struct tevent_req *subreq;
- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+ status = smbd_smb2_request_verify_sizes(req, 0x29);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(req, status);
}
-
inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
- body_size = SVAL(inbody, 0x00);
- if (body_size != expected_body_size) {
- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
- }
-
in_info_type = CVAL(inbody, 0x02);
in_file_info_class = CVAL(inbody, 0x03);
in_output_buffer_length = IVAL(inbody, 0x04);
@@ -87,7 +79,7 @@ NTSTATUS smbd_smb2_request_process_getinfo(struct smbd_smb2_request *req)
if (in_input_buffer_offset == 0 && in_input_buffer_length == 0) {
/* This is ok */
} else if (in_input_buffer_offset !=
- (SMB2_HDR_BODY + (body_size & 0xFFFFFFFE))) {
+ (SMB2_HDR_BODY + req->in.vector[i+1].iov_len)) {
return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
}
diff --git a/source3/smbd/smb2_ioctl.c b/source3/smbd/smb2_ioctl.c
index 88775b4..17b9154 100644
--- a/source3/smbd/smb2_ioctl.c
+++ b/source3/smbd/smb2_ioctl.c
@@ -41,11 +41,9 @@ static NTSTATUS smbd_smb2_ioctl_recv(struct tevent_req *req,
static void smbd_smb2_request_ioctl_done(struct tevent_req *subreq);
NTSTATUS smbd_smb2_request_process_ioctl(struct smbd_smb2_request *req)
{
- const uint8_t *inhdr;
+ NTSTATUS status;
const uint8_t *inbody;
int i = req->current_idx;
- size_t expected_body_size = 0x39;
- size_t body_size;
uint32_t in_ctl_code;
uint64_t in_file_id_persistent;
uint64_t in_file_id_volatile;
@@ -56,18 +54,12 @@ NTSTATUS smbd_smb2_request_process_ioctl(struct smbd_smb2_request *req)
uint32_t in_flags;
struct tevent_req *subreq;
- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+ status = smbd_smb2_request_verify_sizes(req, 0x39);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(req, status);
}
-
inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
- body_size = SVAL(inbody, 0x00);
- if (body_size != expected_body_size) {
- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
- }
-
in_ctl_code = IVAL(inbody, 0x04);
in_file_id_persistent = BVAL(inbody, 0x08);
in_file_id_volatile = BVAL(inbody, 0x10);
@@ -76,7 +68,16 @@ NTSTATUS smbd_smb2_request_process_ioctl(struct smbd_smb2_request *req)
in_max_output_length = IVAL(inbody, 0x2C);
in_flags = IVAL(inbody, 0x30);
- if (in_input_offset != (SMB2_HDR_BODY + (body_size & 0xFFFFFFFE))) {
+ /*
+ * InputOffset (4 bytes): The offset, in bytes, from the beginning of
+ * the SMB2 header to the input data buffer. If no input data is
+ * required for the FSCTL/IOCTL command being issued, the client SHOULD
+ * set this value to 0.<49>
+ * <49> If no input data is required for the FSCTL/IOCTL command being
+ * issued, Windows-based clients set this field to any value.
+ */
+ if ((in_input_length > 0)
+ && (in_input_offset != (SMB2_HDR_BODY + req->in.vector[i+1].iov_len))) {
return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
}
diff --git a/source3/smbd/smb2_keepalive.c b/source3/smbd/smb2_keepalive.c
index a830260..24a4f8e 100644
--- a/source3/smbd/smb2_keepalive.c
+++ b/source3/smbd/smb2_keepalive.c
@@ -25,21 +25,12 @@
NTSTATUS smbd_smb2_request_process_keepalive(struct smbd_smb2_request *req)
{
- const uint8_t *inbody;
- int i = req->current_idx;
DATA_BLOB outbody;
- size_t expected_body_size = 0x04;
- size_t body_size;
+ NTSTATUS status;
- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
- }
-
- inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
-
- body_size = SVAL(inbody, 0x00);
- if (body_size != expected_body_size) {
- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+ status = smbd_smb2_request_verify_sizes(req, 0x04);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(req, status);
}
/* TODO: update some time stamps */
diff --git a/source3/smbd/smb2_lock.c b/source3/smbd/smb2_lock.c
index fce3c7c..28612ae 100644
--- a/source3/smbd/smb2_lock.c
+++ b/source3/smbd/smb2_lock.c
@@ -58,8 +58,6 @@ NTSTATUS smbd_smb2_request_process_lock(struct smbd_smb2_request *req)
const uint8_t *inhdr;
const uint8_t *inbody;
const int i = req->current_idx;
- size_t expected_body_size = 0x30;
- size_t body_size;
uint32_t in_smbpid;
uint16_t in_lock_count;
uint64_t in_file_id_persistent;
@@ -68,19 +66,15 @@ NTSTATUS smbd_smb2_request_process_lock(struct smbd_smb2_request *req)
struct tevent_req *subreq;
const uint8_t *lock_buffer;
uint16_t l;
+ NTSTATUS status;
- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+ status = smbd_smb2_request_verify_sizes(req, 0x30);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(req, status);
}
-
+ inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
- body_size = SVAL(inbody, 0x00);
- if (body_size != expected_body_size) {
- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
- }
-
in_smbpid = IVAL(inhdr, SMB2_HDR_PID);
in_lock_count = CVAL(inbody, 0x02);
diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c
index f639503..9245d6d 100644
--- a/source3/smbd/smb2_negprot.c
+++ b/source3/smbd/smb2_negprot.c
@@ -61,6 +61,7 @@ void reply_smb2002(struct smb_request *req, uint16_t choice)
NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
{
+ NTSTATUS status;
const uint8_t *inbody;
const uint8_t *indyn = NULL;
int i = req->current_idx;
@@ -69,8 +70,6 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
DATA_BLOB negprot_spnego_blob;
uint16_t security_offset;
DATA_BLOB security_buffer;
- size_t expected_body_size = 0x24;
- size_t body_size;
size_t expected_dyn_size = 0;
size_t c;
uint16_t security_mode;
@@ -80,17 +79,12 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
/* TODO: drop the connection with INVALID_PARAMETER */
- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+ status = smbd_smb2_request_verify_sizes(req, 0x24);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(req, status);
}
-
inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
- body_size = SVAL(inbody, 0x00);
- if (body_size != expected_body_size) {
- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
- }
-
dialect_count = SVAL(inbody, 0x02);
if (dialect_count == 0) {
return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
diff --git a/source3/smbd/smb2_notify.c b/source3/smbd/smb2_notify.c
index 9e377ce..a8b1eb4 100644
--- a/source3/smbd/smb2_notify.c
+++ b/source3/smbd/smb2_notify.c
@@ -47,11 +47,9 @@ static NTSTATUS smbd_smb2_notify_recv(struct tevent_req *req,
static void smbd_smb2_request_notify_done(struct tevent_req *subreq);
NTSTATUS smbd_smb2_request_process_notify(struct smbd_smb2_request *req)
{
- const uint8_t *inhdr;
+ NTSTATUS status;
const uint8_t *inbody;
int i = req->current_idx;
- size_t expected_body_size = 0x20;
- size_t body_size;
uint16_t in_flags;
uint32_t in_output_buffer_length;
uint64_t in_file_id_persistent;
@@ -59,18 +57,12 @@ NTSTATUS smbd_smb2_request_process_notify(struct smbd_smb2_request *req)
uint64_t in_completion_filter;
struct tevent_req *subreq;
- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+ status = smbd_smb2_request_verify_sizes(req, 0x20);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(req, status);
}
-
inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
- body_size = SVAL(inbody, 0x00);
- if (body_size != expected_body_size) {
- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
- }
-
in_flags = SVAL(inbody, 0x02);
in_output_buffer_length = IVAL(inbody, 0x04);
in_file_id_persistent = BVAL(inbody, 0x08);
--
Samba Shared Repository
More information about the samba-cvs
mailing list