Length limitation for the string returned from samba_version_string() in reply_sesssetup_and_X()?

Jeremy Allison jra at samba.org
Wed Mar 14 00:40:33 GMT 2007


On Tue, Mar 13, 2007 at 05:25:56PM -0700, Tim Prouty wrote:
> Hi,
> 
> I am working with the samba 3.0.24 code base.
> 
> I have run into a problem when setting SAMBA_VERSION_VENDOR_SUFFIX to  
> a string that is long enough to max out the size of the samba_version  
> fstring in samba_version_string().   When running "net use X: \ 
> \server_name\\share"  on a windows XP client, a Session Setup andX  
> chained with a Tree Connect AndX request is sent from the client.  In  
> reply_sesssetup_and_X(), samba_version_string() is appended to the  
> outbuf when calling add_signature(), which populates the Native LAN  
> Manager field in the reply.  Having this large outbuf causes a  
> problem when chain_reply() is called because chain_reply() subtracts  
> the size of the outbuf from the size of the inbuf and ends up passing  
> in a negative size to switch_message().  switch_message() then fails  
> in the first conditional and kills the process.
> 
> It seems to me that the length of the version string should be able  
> to be the full length of an fstring.  Is there some invariant that  
> I'm not seeing?  If so, is this something that may be able to be  
> caught earlier and produce a more revealing error message?  I'm kind  
> of new to the CIFS protocol, so it's certainly possible I'm missing  
> something very simple.

I think I've just fixed this in the SVN source code. It's
a bug in chain_reply.

Can you svn update on SAMBA_3_0_25 and see if this fixes your
problem ?

Jeremy.


More information about the samba-technical mailing list