[SCM] Samba Shared Repository - branch v3-6-test updated
Karolin Seeger
kseeger at samba.org
Thu Oct 13 12:06:58 MDT 2011
The branch, v3-6-test has been updated
via a97cbf0 Another part of the fix for Bug 8473 - smb2_find uses a hard coded max reply size of 0x10000 instead of smb2_max_trans.
via 76ee6a9 s3:smb2_server: get/set info are limited by max_trans size (bug #8473)
via 8453b6b s3:smb2_server: reject writes larger then the negotiated max_write size (bug #8473)
via 9c0650a s3:smb2_server: remember the max_{trans,read,write} sizes we negotiated (bug #8473)
via 69be2b1 s4:torture/smb2: we only support 64KB reads/writes for now
via 8d54841 s3:smbd: disconnect the socket if we got an unexpected request
via 84b4cd0 s3:smb2_server: max_trans, max_read and max_write are limited to 64 kilobytes
from 60b85ea WHATSNEW: Update changes since 3.6.0.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test
- Log -----------------------------------------------------------------
commit a97cbf014efed5c85447d6478d4fc6803828bc8b
Author: Jeremy Allison <jra at samba.org>
Date: Wed Oct 12 14:00:32 2011 -0700
Another part of the fix for Bug 8473 - smb2_find uses a hard coded max reply size of 0x10000 instead of smb2_max_trans.
Change the defaults and the documentation to reflect the 64k limit.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User: Stefan Metzmacher <metze at samba.org>
Autobuild-Date: Thu Oct 13 12:22:23 CEST 2011 on sn-devel-104
(cherry picked from commit d2a9e8df35be1516f22f0ef78356de6d4b02d4d3)
commit 76ee6a961e4d0e32f425ecec6fe3f7633c96e584
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 12 17:46:50 2011 +0200
s3:smb2_server: get/set info are limited by max_trans size (bug #8473)
metze
Autobuild-User: Stefan Metzmacher <metze at samba.org>
Autobuild-Date: Thu Oct 13 03:32:02 CEST 2011 on sn-devel-104
(cherry picked from commit 5e04231e961f10656384a6f16104d0d55b6f3e0e)
commit 8453b6b274b94d151229014ac3feb0d67a7e4513
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 12 16:58:46 2011 +0200
s3:smb2_server: reject writes larger then the negotiated max_write size (bug #8473)
metze
(cherry picked from commit 6981f1114792cc251bf1e05183dd88f5d351ab09)
commit 9c0650a066812dd6306463738c3d5a3823938c2c
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 23 17:18:14 2011 +0200
s3:smb2_server: remember the max_{trans,read,write} sizes we negotiated (bug #8473)
We should enforce the negotiated max sizes instead of the
lp_smb2_max_*() sizes.
metze
(cherry picked from commit 40ea66c5dda91ba3f74bed7db1ce02f6c8b4ffeb)
commit 69be2b1cd34cec481c252883a6713c1ed672a7f8
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 12 18:34:26 2011 +0200
s4:torture/smb2: we only support 64KB reads/writes for now
We don't have multi-credit support yet.
metze
(cherry picked from commit 77f739f03a32965b676d97a6f082bb3e023014ef)
commit 8d54841f640212a5c3d026df3fbfd1f7c99ac7f7
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 23 06:37:35 2011 +0200
s3:smbd: disconnect the socket if we got an unexpected request
If we got a SMB2_OP_NEGPROT after the protocol is already negotiated
or if we got a non SMB2_OP_NEGPROT before the protocol was negotiated
we should close the connection (as windows does).
metze
Autobuild-User: Stefan Metzmacher <metze at samba.org>
Autobuild-Date: Fri Sep 23 12:30:50 CEST 2011 on sn-devel-104
(cherry picked from commit 5494856294384df4360d85e68abc03c43dc16e06)
commit 84b4cd03a17e84ffd311b99ec73846a29507418d
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Sep 5 12:14:06 2011 +0200
s3:smb2_server: max_trans, max_read and max_write are limited to 64 kilobytes
Only if SMB2_CAP_LARGE_MTU is supported we should announce larger limits.
metze
(cherry picked from commit e603929b9801ad6cc47dead19d27b42fe46489c7)
-----------------------------------------------------------------------
Summary of changes:
docs-xml/smbdotconf/protocol/smb2maxcredits.xml | 2 +-
docs-xml/smbdotconf/protocol/smb2maxread.xml | 4 +-
docs-xml/smbdotconf/protocol/smb2maxtrans.xml | 4 +-
docs-xml/smbdotconf/protocol/smb2maxwrite.xml | 4 +-
source3/include/local.h | 6 ++--
source3/smbd/globals.h | 3 ++
source3/smbd/smb2_find.c | 2 +-
source3/smbd/smb2_getinfo.c | 7 ++++++
source3/smbd/smb2_negprot.c | 25 ++++++++++++++++++----
source3/smbd/smb2_notify.c | 2 +-
source3/smbd/smb2_read.c | 4 +-
source3/smbd/smb2_server.c | 20 ++++++++++++++++++
source3/smbd/smb2_setinfo.c | 4 +++
source3/smbd/smb2_write.c | 7 +----
source4/torture/smb2/connect.c | 12 +++++-----
source4/torture/smb2/read.c | 4 +-
16 files changed, 78 insertions(+), 32 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/protocol/smb2maxcredits.xml b/docs-xml/smbdotconf/protocol/smb2maxcredits.xml
index 310b898..3cc219d 100644
--- a/docs-xml/smbdotconf/protocol/smb2maxcredits.xml
+++ b/docs-xml/smbdotconf/protocol/smb2maxcredits.xml
@@ -11,5 +11,5 @@ parameter for SMB1. You should never need to set this parameter.
<para>The default is 8192 credits, which is the same as a Windows 2008R2 SMB2 server.</para>
</description>
-<value type="default">128</value>
+<value type="default">8192</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/protocol/smb2maxread.xml b/docs-xml/smbdotconf/protocol/smb2maxread.xml
index f4bcb4b..2666821 100644
--- a/docs-xml/smbdotconf/protocol/smb2maxread.xml
+++ b/docs-xml/smbdotconf/protocol/smb2maxread.xml
@@ -8,10 +8,10 @@
<manvolnum>8</manvolnum></citerefentry> will return to a client, informing the client of the largest
size that may be returned by a single SMB2 read call.
</para>
-<para>The default is 1048576 bytes (1MB), which is the same as a Windows7 SMB2 server.</para>
+<para>The maximum is 65536 bytes (64KB), which is the same as a Windows Vista SMB2 server.</para>
</description>
<related>smb2 max write</related>
<related>smb2 max trans</related>
-<value type="default">1048576</value>
+<value type="default">65536</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/protocol/smb2maxtrans.xml b/docs-xml/smbdotconf/protocol/smb2maxtrans.xml
index dd654f4..1c01ccc 100644
--- a/docs-xml/smbdotconf/protocol/smb2maxtrans.xml
+++ b/docs-xml/smbdotconf/protocol/smb2maxtrans.xml
@@ -8,10 +8,10 @@
<manvolnum>8</manvolnum></citerefentry> will return to a client, informing the client of the largest
size of buffer that may be used in querying file meta-data via QUERY_INFO and related SMB2 calls.
</para>
-<para>The default is 1048576 bytes (1MB), which is the same as a Windows7 SMB2 server.</para>
+<para>The maximum is 65536 bytes (64KB), which is the same as a Windows Vista SMB2 server.</para>
</description>
<related>smb2 max read</related>
<related>smb2 max write</related>
-<value type="default">1048576</value>
+<value type="default">65536</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/protocol/smb2maxwrite.xml b/docs-xml/smbdotconf/protocol/smb2maxwrite.xml
index cdbc47a..a302a94 100644
--- a/docs-xml/smbdotconf/protocol/smb2maxwrite.xml
+++ b/docs-xml/smbdotconf/protocol/smb2maxwrite.xml
@@ -8,10 +8,10 @@
<manvolnum>8</manvolnum></citerefentry> will return to a client, informing the client of the largest
size that may be sent to the server by a single SMB2 write call.
</para>
-<para>The default is 1048576 bytes (1MB), which is the same as a Windows7 SMB2 server.</para>
+<para>The maximum is 65536 bytes (64KB), which is the same as a Windows Vista SMB2 server.</para>
</description>
<related>smb2 max read</related>
<related>smb2 max trans</related>
-<value type="default">1048576</value>
+<value type="default">65536</value>
</samba:parameter>
diff --git a/source3/include/local.h b/source3/include/local.h
index 807d3c9..d659522 100644
--- a/source3/include/local.h
+++ b/source3/include/local.h
@@ -261,9 +261,9 @@
#define CLIENT_NDR_PADDING_SIZE 8
#define SERVER_NDR_PADDING_SIZE 8
-#define DEFAULT_SMB2_MAX_READ (1024*1024)
-#define DEFAULT_SMB2_MAX_WRITE (1024*1024)
-#define DEFAULT_SMB2_MAX_TRANSACT (1024*1024)
+#define DEFAULT_SMB2_MAX_READ (64*1024)
+#define DEFAULT_SMB2_MAX_WRITE (64*1024)
+#define DEFAULT_SMB2_MAX_TRANSACT (64*1024)
#define DEFAULT_SMB2_MAX_CREDITS 8192
#define DEFAULT_SMB2_MAX_CREDIT_BITMAP_FACTOR 2
diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h
index 7033848..9304a43 100644
--- a/source3/smbd/globals.h
+++ b/source3/smbd/globals.h
@@ -604,6 +604,9 @@ struct smbd_server_connection {
uint64_t seqnum_low;
uint32_t credits_granted;
uint32_t max_credits;
+ uint32_t max_trans;
+ uint32_t max_read;
+ uint32_t max_write;
struct bitmap *credits_bitmap;
bool compound_related_in_progress;
} smb2;
diff --git a/source3/smbd/smb2_find.c b/source3/smbd/smb2_find.c
index 4a49f2a..3dcc768 100644
--- a/source3/smbd/smb2_find.c
+++ b/source3/smbd/smb2_find.c
@@ -281,7 +281,7 @@ static struct tevent_req *smbd_smb2_find_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
- if (in_output_buffer_length > lp_smb2_max_trans()) {
+ if (in_output_buffer_length > smb2req->sconn->smb2.max_trans) {
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
return tevent_req_post(req, ev);
}
diff --git a/source3/smbd/smb2_getinfo.c b/source3/smbd/smb2_getinfo.c
index 61e0cfa..c5d2d62 100644
--- a/source3/smbd/smb2_getinfo.c
+++ b/source3/smbd/smb2_getinfo.c
@@ -90,6 +90,13 @@ NTSTATUS smbd_smb2_request_process_getinfo(struct smbd_smb2_request *req)
in_input_buffer.data = (uint8_t *)req->in.vector[i+2].iov_base;
in_input_buffer.length = in_input_buffer_length;
+ if (in_input_buffer.length > req->sconn->smb2.max_trans) {
+ return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+ }
+ if (in_output_buffer_length > req->sconn->smb2.max_trans) {
+ return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+ }
+
if (req->compat_chain_fsp) {
/* skip check */
} else if (in_file_id_persistent != in_file_id_volatile) {
diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c
index 9245d6d..2f45b8c 100644
--- a/source3/smbd/smb2_negprot.c
+++ b/source3/smbd/smb2_negprot.c
@@ -76,8 +76,10 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
uint16_t dialect_count;
uint16_t dialect = 0;
uint32_t capabilities;
-
-/* TODO: drop the connection with INVALID_PARAMETER */
+ uint32_t max_limit;
+ uint32_t max_trans = lp_smb2_max_trans();
+ uint32_t max_read = lp_smb2_max_read();
+ uint32_t max_write = lp_smb2_max_write();
status = smbd_smb2_request_verify_sizes(req, 0x24);
if (!NT_STATUS_IS_OK(status)) {
@@ -133,6 +135,16 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
capabilities |= SMB2_CAP_DFS;
}
+ /*
+ * Unless we implement SMB2_CAP_LARGE_MTU,
+ * 0x10000 (65536) is the maximum allowed message size
+ */
+ max_limit = 0x10000;
+
+ max_trans = MIN(max_limit, max_trans);
+ max_read = MIN(max_limit, max_read);
+ max_write = MIN(max_limit, max_write);
+
security_offset = SMB2_HDR_BODY + 0x40;
#if 1
@@ -158,9 +170,9 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
negprot_spnego_blob.data, 16); /* server guid */
SIVAL(outbody.data, 0x18,
capabilities); /* capabilities */
- SIVAL(outbody.data, 0x1C, lp_smb2_max_trans()); /* max transact size */
- SIVAL(outbody.data, 0x20, lp_smb2_max_read()); /* max read size */
- SIVAL(outbody.data, 0x24, lp_smb2_max_write()); /* max write size */
+ SIVAL(outbody.data, 0x1C, max_trans); /* max transact size */
+ SIVAL(outbody.data, 0x20, max_trans); /* max read size */
+ SIVAL(outbody.data, 0x24, max_trans); /* max write size */
SBVAL(outbody.data, 0x28, 0); /* system time */
SBVAL(outbody.data, 0x30, 0); /* server start time */
SSVAL(outbody.data, 0x38,
@@ -172,6 +184,9 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
outdyn = security_buffer;
req->sconn->using_smb2 = true;
+ req->sconn->smb2.max_trans = max_trans;
+ req->sconn->smb2.max_read = max_read;
+ req->sconn->smb2.max_write = max_write;
return smbd_smb2_request_done(req, outbody, &outdyn);
}
diff --git a/source3/smbd/smb2_notify.c b/source3/smbd/smb2_notify.c
index a8b1eb4..49c6a54 100644
--- a/source3/smbd/smb2_notify.c
+++ b/source3/smbd/smb2_notify.c
@@ -73,7 +73,7 @@ NTSTATUS smbd_smb2_request_process_notify(struct smbd_smb2_request *req)
* 0x00010000 is what Windows 7 uses,
* Windows 2008 uses 0x00080000
*/
- if (in_output_buffer_length > lp_smb2_max_trans()) {
+ if (in_output_buffer_length > req->sconn->smb2.max_trans) {
return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
}
diff --git a/source3/smbd/smb2_read.c b/source3/smbd/smb2_read.c
index 89fc420..21082e6 100644
--- a/source3/smbd/smb2_read.c
+++ b/source3/smbd/smb2_read.c
@@ -74,9 +74,9 @@ NTSTATUS smbd_smb2_request_process_read(struct smbd_smb2_request *req)
in_remaining_bytes = IVAL(inbody, 0x28);
/* check the max read size */
- if (in_length > lp_smb2_max_read()) {
+ if (in_length > req->sconn->smb2.max_read) {
DEBUG(0,("here:%s: 0x%08X: 0x%08X\n",
- __location__, in_length, lp_smb2_max_read()));
+ __location__, in_length, req->sconn->smb2.max_read));
return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
}
diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index 0d22d84..1c50d21 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -1203,6 +1203,26 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
smb2_opcode_name(opcode),
(unsigned long long)mid));
+ if (get_Protocol() >= PROTOCOL_SMB2) {
+ /*
+ * once the protocol is negotiated
+ * SMB2_OP_NEGPROT is not allowed anymore
+ */
+ if (opcode == SMB2_OP_NEGPROT) {
+ /* drop the connection */
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ } else {
+ /*
+ * if the protocol is not negotiated yet
+ * only SMB2_OP_NEGPROT is allowed.
+ */
+ if (opcode != SMB2_OP_NEGPROT) {
+ /* drop the connection */
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ }
+
allowed_flags = SMB2_HDR_FLAG_CHAINED |
SMB2_HDR_FLAG_SIGNED |
SMB2_HDR_FLAG_DFS;
diff --git a/source3/smbd/smb2_setinfo.c b/source3/smbd/smb2_setinfo.c
index 2d39f11..751190a 100644
--- a/source3/smbd/smb2_setinfo.c
+++ b/source3/smbd/smb2_setinfo.c
@@ -81,6 +81,10 @@ NTSTATUS smbd_smb2_request_process_setinfo(struct smbd_smb2_request *req)
in_input_buffer.data = (uint8_t *)req->in.vector[i+2].iov_base;
in_input_buffer.length = in_input_buffer_length;
+ if (in_input_buffer.length > req->sconn->smb2.max_trans) {
+ return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+ }
+
if (req->compat_chain_fsp) {
/* skip check */
} else if (in_file_id_persistent != in_file_id_volatile) {
diff --git a/source3/smbd/smb2_write.c b/source3/smbd/smb2_write.c
index 0202098..b2360ca 100644
--- a/source3/smbd/smb2_write.c
+++ b/source3/smbd/smb2_write.c
@@ -78,14 +78,11 @@ NTSTATUS smbd_smb2_request_process_write(struct smbd_smb2_request *req)
}
/* check the max write size */
- if (in_data_length > lp_smb2_max_write()) {
- /* This is a warning. */
+ if (in_data_length > req->sconn->smb2.max_write) {
DEBUG(2,("smbd_smb2_request_process_write : "
"client ignored max write :%s: 0x%08X: 0x%08X\n",
- __location__, in_data_length, lp_smb2_max_write()));
-#if 0
+ __location__, in_data_length, req->sconn->smb2.max_write));
return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
-#endif
}
in_data_buffer.data = (uint8_t *)req->in.vector[i+2].iov_base;
diff --git a/source4/torture/smb2/connect.c b/source4/torture/smb2/connect.c
index 1b69c18..b383a67 100644
--- a/source4/torture/smb2/connect.c
+++ b/source4/torture/smb2/connect.c
@@ -71,14 +71,14 @@ static NTSTATUS torture_smb2_write(struct torture_context *tctx, struct smb2_tre
NTSTATUS status;
DATA_BLOB data;
int i;
+ uint32_t size = torture_setting_int(tctx, "smb2maxwrite", 64*1024);
- if (torture_setting_bool(tctx, "dangerous", false)) {
- data = data_blob_talloc(tree, NULL, 160000);
- } else if (torture_setting_bool(tctx, "samba4", false)) {
- data = data_blob_talloc(tree, NULL, UINT16_MAX);
- } else {
- data = data_blob_talloc(tree, NULL, torture_setting_int(tctx, "smb2maxwrite", 120000));
+ data = data_blob_talloc(tree, NULL, size);
+ if (size != data.length) {
+ printf("data_blob_talloc(%s) failed\n", size);
+ return NT_STATUS_NO_MEMORY;
}
+
for (i=0;i<data.length;i++) {
data.data[i] = i;
}
diff --git a/source4/torture/smb2/read.c b/source4/torture/smb2/read.c
index f27ce24..076ae9c 100644
--- a/source4/torture/smb2/read.c
+++ b/source4/torture/smb2/read.c
@@ -51,7 +51,7 @@ static bool test_read_eof(struct torture_context *torture, struct smb2_tree *tre
bool ret = true;
NTSTATUS status;
struct smb2_handle h;
- uint8_t buf[70000];
+ uint8_t buf[64*1024];
struct smb2_read rd;
TALLOC_CTX *tmp_ctx = talloc_new(tree);
@@ -134,7 +134,7 @@ static bool test_read_position(struct torture_context *torture, struct smb2_tree
bool ret = true;
NTSTATUS status;
struct smb2_handle h;
- uint8_t buf[70000];
+ uint8_t buf[64*1024];
struct smb2_read rd;
TALLOC_CTX *tmp_ctx = talloc_new(tree);
union smb_fileinfo info;
--
Samba Shared Repository
More information about the samba-cvs
mailing list