[PATCH 4/5] s3-smb2_server: fix ioctl InputOffset checking

David Disseldorp ddiss at suse.de
Wed Sep 28 08:42:48 MDT 2011


Currently the InputOffset is always check to point to the input data
buffer, regardless of whether input data is present.
---
 source3/smbd/smb2_ioctl.c |   11 ++++++++++-
 1 files changed, 10 insertions(+), 1 deletions(-)

diff --git a/source3/smbd/smb2_ioctl.c b/source3/smbd/smb2_ioctl.c
index 491c3fd..5a766e1 100644
--- a/source3/smbd/smb2_ioctl.c
+++ b/source3/smbd/smb2_ioctl.c
@@ -68,7 +68,16 @@ NTSTATUS smbd_smb2_request_process_ioctl(struct smbd_smb2_request *req)
 	in_max_output_length	= IVAL(inbody, 0x2C);
 	in_flags		= IVAL(inbody, 0x30);
 
-	if (in_input_offset != (SMB2_HDR_BODY + req->in.vector[i+1].iov_len)) {
+	/*
+	 * InputOffset (4 bytes): The offset, in bytes, from the beginning of
+	 * the SMB2 header to the input data buffer. If no input data is
+	 * required for the FSCTL/IOCTL command being issued, the client SHOULD
+	 * set this value to 0.<49>
+	 * <49> If no input data is required for the FSCTL/IOCTL command being
+	 * issued, Windows-based clients set this field to any value.
+	 */
+	if ((in_input_length > 0)
+	 && (in_input_offset != (SMB2_HDR_BODY + req->in.vector[i+1].iov_len))) {
 		return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
 	}
 
-- 
1.7.1



More information about the samba-technical mailing list