[SCM] Samba Shared Repository - branch master updated

Tue Aug 7 23:33:03 MDT 2012

The branch, master has been updated
       via  528d3fe libcli/smb: do not set SMB2_TF_MSG_SIZE in the caller
       via  143fb84 libcli/smb: smb2_signing_[en|de]crypt_pdu() check and set SMB2_TF_MSG_SIZE
       via  6bfdca4 s3:smb2_sesssetup: remove unused code in smbd_smb2_reauth_generic_return()
       via  5f7d786 s3:smb2_sesssetup: remove TALLOC_FREE(session) from smbd_smb2_[re]auth_generic_return
       via  c9ecfd6 s3:smb2_server: sign the last request at the start of smbd_smb2_request_reply()
      from  64c0367 s3: Fix a crash in reply_lockingX_error

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 528d3fe2ae9691bc1c0b322bb3007524987f8b28
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Aug 8 05:04:07 2012 +0200

    libcli/smb: do not set SMB2_TF_MSG_SIZE in the caller
    
    metze
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Wed Aug  8 07:32:55 CEST 2012 on sn-devel-104

commit 143fb8403a5b763224b078e67aa9e4ef005ec9ca
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Aug 8 05:03:19 2012 +0200

    libcli/smb: smb2_signing_[en|de]crypt_pdu() check and set SMB2_TF_MSG_SIZE
    
    metze

commit 6bfdca4786cd6293650ecde784e316d2f0258a56
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Aug 8 05:35:37 2012 +0200

    s3:smb2_sesssetup: remove unused code in smbd_smb2_reauth_generic_return()
    
    A reauth exchange is already signed, with the channel signing key.
    
    metze

commit 5f7d786b08f2d67d200fb473b12781174a69e776
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Aug 8 05:33:50 2012 +0200

    s3:smb2_sesssetup: remove TALLOC_FREE(session) from smbd_smb2_[re]auth_generic_return
    
    The caller does this via the smbd_smb2_session_setup_state_destructor()
    
    metze

commit c9ecfd6f3df2714bfaabb77ceb987ce65c62e38a
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Aug 8 04:35:15 2012 +0200

    s3:smb2_server: sign the last request at the start of smbd_smb2_request_reply()
    
    This means we correctly sign all responses in a compound chain.
    
    metze

-----------------------------------------------------------------------

Summary of changes:
 libcli/smb/smb2_signing.c     |   22 ++++++++++++++++------
 libcli/smb/smbXcli_base.c     |    3 ---
 source3/smbd/smb2_server.c    |   38 ++++++++++++++++----------------------
 source3/smbd/smb2_sesssetup.c |   18 ------------------
 4 files changed, 32 insertions(+), 49 deletions(-)


Changeset truncated at 500 lines:

diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c
index bb621fd..97143f7 100644
--- a/libcli/smb/smb2_signing.c
+++ b/libcli/smb/smb2_signing.c
@@ -238,13 +238,15 @@ NTSTATUS smb2_signing_encrypt_pdu(DATA_BLOB encryption_key,
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	alg = SMB2_ENCRYPTION_AES128_CCM;
-	SSVAL(tf, SMB2_TF_ALGORITHM, alg);
-
 	a_total = SMB2_TF_HDR_SIZE - SMB2_TF_NONCE;
 	for (i=1; i < count; i++) {
 		m_total += vector[i].iov_len;
 	}
+
+	alg = SMB2_ENCRYPTION_AES128_CCM;
+	SSVAL(tf, SMB2_TF_ALGORITHM, alg);
+	SIVAL(tf, SMB2_TF_MSG_SIZE, m_total);
+
 	ZERO_STRUCT(key);
 	memcpy(key, encryption_key.data,
 	       MIN(encryption_key.length, AES_BLOCK_SIZE));
@@ -283,6 +285,7 @@ NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key,
 	int i;
 	size_t a_total;
 	size_t m_total = 0;
+	uint32_t msg_size = 0;
 	struct aes_ccm_128_context ctx;
 	uint8_t key[AES_BLOCK_SIZE];
 
@@ -302,15 +305,22 @@ NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key,
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
+	a_total = SMB2_TF_HDR_SIZE - SMB2_TF_NONCE;
+	for (i=1; i < count; i++) {
+		m_total += vector[i].iov_len;
+	}
+
 	alg = SVAL(tf, SMB2_TF_ALGORITHM);
+	msg_size = IVAL(tf, SMB2_TF_MSG_SIZE);
+
 	if (alg != SMB2_ENCRYPTION_AES128_CCM) {
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	a_total = SMB2_TF_HDR_SIZE - SMB2_TF_NONCE;
-	for (i=1; i < count; i++) {
-		m_total += vector[i].iov_len;
+	if (msg_size != m_total) {
+		return NT_STATUS_INTERNAL_ERROR;
 	}
+
 	ZERO_STRUCT(key);
 	memcpy(key, decryption_key.data,
 	       MIN(decryption_key.length, AES_BLOCK_SIZE));
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index c6e3b2a..dad869c 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -2764,9 +2764,6 @@ skip_credits:
 				state->session->smb2->nonce_low += 1;
 			}
 
-			SBVAL(state->smb2.transform, SMB2_TF_MSG_SIZE,
-			      reqlen);
-
 			buf = talloc_array(iov, uint8_t, reqlen);
 			if (buf == NULL) {
 				return NT_STATUS_NO_MEMORY;
diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index afd001c..19a1051 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -1977,7 +1977,6 @@ static NTSTATUS smbd_smb2_request_reply(struct smbd_smb2_request *req)
 	struct tevent_req *subreq;
 	struct iovec *outhdr = SMBD_SMB2_OUT_HDR_IOV(req);
 	struct iovec *outdyn = SMBD_SMB2_OUT_DYN_IOV(req);
-	struct iovec *lasthdr = NULL;
 
 	req->subreq = NULL;
 	TALLOC_FREE(req->async_te);
@@ -1985,9 +1984,24 @@ static NTSTATUS smbd_smb2_request_reply(struct smbd_smb2_request *req)
 	if ((req->current_idx > SMBD_SMB2_NUM_IOV_PER_REQ) &&
 	    (req->last_key.length > 0)) {
 		int last_idx = req->current_idx - SMBD_SMB2_NUM_IOV_PER_REQ;
+		struct iovec *lasthdr = SMBD_SMB2_IDX_HDR_IOV(req,out,last_idx);
+		NTSTATUS status;
+
+		/*
+		 * As we are sure the header of the last request in the
+		 * compound chain will not change, we can to sign here
+		 * with the last signing key we remembered.
+		 */
 
-		lasthdr = SMBD_SMB2_IDX_HDR_IOV(req,out,last_idx);
+		status = smb2_signing_sign_pdu(req->last_key,
+					       conn->protocol,
+					       lasthdr,
+					       SMBD_SMB2_NUM_IOV_PER_REQ);
+		if (!NT_STATUS_IS_OK(status)) {
+			return status;
+		}
 	}
+	data_blob_clear_free(&req->last_key);
 
 	req->current_idx += SMBD_SMB2_NUM_IOV_PER_REQ;
 
@@ -2005,8 +2019,6 @@ static NTSTATUS smbd_smb2_request_reply(struct smbd_smb2_request *req)
 			return NT_STATUS_NO_MEMORY;
 		}
 
-		data_blob_clear_free(&req->last_key);
-
 		if (req->do_signing) {
 			struct smbXsrv_session *x = req->session;
 			DATA_BLOB signing_key = x->global->channels[0].signing_key;
@@ -2041,24 +2053,6 @@ static NTSTATUS smbd_smb2_request_reply(struct smbd_smb2_request *req)
 	smb2_calculate_credits(req, req);
 
 	/*
-	 * As we are sure the header of the last request in the
-	 * compound chain will not change, we can to sign here
-	 * with the last signing key we remembered.
-	 */
-	if (lasthdr != NULL) {
-		NTSTATUS status;
-
-		status = smb2_signing_sign_pdu(req->last_key,
-					       conn->protocol,
-					       lasthdr,
-					       SMBD_SMB2_NUM_IOV_PER_REQ);
-		if (!NT_STATUS_IS_OK(status)) {
-			return status;
-		}
-	}
-	data_blob_clear_free(&req->last_key);
-
-	/*
 	 * now check if we need to sign the current response
 	 */
 	if (req->do_signing) {
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 474c04b..07a168f 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -208,7 +208,6 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
 						  sizeof(session_key));
 	if (x->global->signing_key.data == NULL) {
 		ZERO_STRUCT(session_key);
-		TALLOC_FREE(session);
 		return NT_STATUS_NO_MEMORY;
 	}
 
@@ -226,7 +225,6 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
 						x->global->signing_key);
 	if (x->global->application_key.data == NULL) {
 		ZERO_STRUCT(session_key);
-		TALLOC_FREE(session);
 		return NT_STATUS_NO_MEMORY;
 	}
 
@@ -244,7 +242,6 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
 	x->global->channels[0].signing_key = data_blob_dup_talloc(x->global->channels,
 						x->global->signing_key);
 	if (x->global->channels[0].signing_key.data == NULL) {
-		TALLOC_FREE(session);
 		return NT_STATUS_NO_MEMORY;
 	}
 
@@ -252,13 +249,11 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
 	session_info->session_key = data_blob_dup_talloc(session_info,
 						x->global->application_key);
 	if (session_info->session_key.data == NULL) {
-		TALLOC_FREE(session);
 		return NT_STATUS_NO_MEMORY;
 	}
 
 	session->compat = talloc_zero(session, struct user_struct);
 	if (session->compat == NULL) {
-		TALLOC_FREE(session);
 		return NT_STATUS_NO_MEMORY;
 	}
 	session->compat->session = session;
@@ -278,7 +273,6 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
 		DEBUG(1, ("smb2: Failed to claim session "
 			"for vuid=%llu\n",
 			(unsigned long long)session->compat->vuid));
-		TALLOC_FREE(session);
 		return NT_STATUS_LOGON_FAILURE;
 	}
 
@@ -300,7 +294,6 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
 		DEBUG(0, ("smb2: Failed to update session for vuid=%llu - %s\n",
 			  (unsigned long long)session->compat->vuid,
 			  nt_errstr(status)));
-		TALLOC_FREE(session);
 		return NT_STATUS_LOGON_FAILURE;
 	}
 
@@ -334,7 +327,6 @@ static NTSTATUS smbd_smb2_reauth_generic_return(struct smbXsrv_session *session,
 	session_info->session_key = data_blob_dup_talloc(session_info,
 						x->global->application_key);
 	if (session_info->session_key.data == NULL) {
-		TALLOC_FREE(session);
 		return NT_STATUS_NO_MEMORY;
 	}
 
@@ -363,21 +355,11 @@ static NTSTATUS smbd_smb2_reauth_generic_return(struct smbXsrv_session *session,
 		DEBUG(0, ("smb2: Failed to update session for vuid=%llu - %s\n",
 			  (unsigned long long)session->compat->vuid,
 			  nt_errstr(status)));
-		TALLOC_FREE(session);
 		return NT_STATUS_LOGON_FAILURE;
 	}
 
 	conn_clear_vuid_caches(conn->sconn, session->compat->vuid);
 
-	/*
-	 * we attach the session to the request
-	 * so that the response can be signed
-	 */
-	smb2req->session = session;
-	smb2req->do_signing = true;
-
-	global_client_caps |= (CAP_LEVEL_II_OPLOCKS|CAP_STATUS32);
-
 	*out_session_id = session->global->session_wire_id;
 
 	return NT_STATUS_OK;


-- 
Samba Shared Repository
