EA name len must be less than 255 according to MS-FSCC ...

Günter Kukkukk linux at kukkukk.com
Mon Dec 17 21:09:20 MST 2012 

Am Donnerstag, 13. Dezember 2012, 05:40:27 schrieb Günter Kukkukk:
> Am Dienstag, 11. Dezember 2012, 19:24:06 schrieb Jeremy Allison:
> > On Tue, Dec 11, 2012 at 10:20:42AM -0800, Richard Sharpe wrote:
> > > On Tue, Dec 11, 2012 at 10:03 AM, Jeremy Allison <jra at samba.org> wrote:
> > > > On Tue, Dec 11, 2012 at 10:00:40AM -0800, Richard Sharpe wrote:
> > > >> Hi folks,
> > > >> 
> > > >> according to [MS-FSCC].pdf section 2.4.15 we have:
> > > >> 
> > > >> ---------------------
> > > >> EaNameLength (1 byte): An 8-bit unsigned integer that contains the
> > > >> length, in bytes, of the extended attribute name in the EaName
> > > >> field. This value MUST NOT include the terminating null character
> > > >> to EaName.
> > > >> 
> > > >> EaName (variable): An array of 8-bit ASCII characters that contains
> > > >> the extended attribute name followed by a single terminating null
> > > >> character byte. The EaName MUST be less than 255 characters and MUST
> > > >> NOT contain any of the following characters:
> > > >> ASCII values 0x00 - 0x1F, \ / : * ? " < > | , + = [ ] ;
> > > >> ---------------------
> > > >> 
> > > >> However, in source3/smbd/trans2.c:fill_ea_buffer we have:
> > > >>         for (p = pdata + 4; ea_list; ea_list = ea_list->next) {
> > > >>         
> > > >>                 size_t dos_namelen;
> > > >>                 fstring dos_ea_name;
> > > >>                 push_ascii_fstring(dos_ea_name, ea_list->ea.name);
> > > >>                 dos_namelen = strlen(dos_ea_name);
> > > >>                 if (dos_namelen > 255 || dos_namelen == 0) {
> > > >>                 
> > > >>                         break;
> > > >>                 
> > > >>                 }
> > > >> 
> > > >> The description in FSCC does seem a little confusing, but one
> > > >> possible interpretation is that the name, excluding the terminating
> > > >> NULL must be less than 255 ASCII chars in length. If that were the
> > > >> case, the test above is wrong.
> > > > 
> > > > Test against Windows.
> > > > 
> > > >> Does anyone have any examples of long EA names? Is there an easy way
> > > >> to set EAs from Windows?
> > > > 
> > > > There is *no* way from the Win32 layer to create EA's against a
> > > > Windows server :-).
> > > 
> > > Hmmm, that seems not to be quite true:
> > > http://www.tech-archive.net/Archive/Development/microsoft.public.win32.
> > > pr ogrammer.kernel/2006-05/msg00485.html
> > > 
> > > There are also other references to the undocumented NTDLL call
> > > 
> > > NTSetEaFile and this:
> > >    http://www.zezula.net/en/fstools/filetest.html
> > > 
> > > I guess I will give it a try soon.
> > 
> > I did say Win32 layer :-). NtXXX calls are the Nt system
> > call layer below.
> > 
> > Anyway, I still think network probing using SMB calls is
> > a safer way to test - that describes exactly the behavior
> > on the wire we need to obey.
> > 
> > Jeremy.
> 
> i wrote a small OS/2 test applet to check for max. EA name length.
>  - OS/2
>  - windows XP
>  - samba3
> all allow to set a max. length of 255 chars. (+ terminating zero)
> 
> More precise, all 3 don't return an error, when using 255 chars.
> 
> BUT - for some reasons i haven't digged down atm samba only
> stores (!) EA names with only max. 250 characters!
> 
> Samba stores EA names with e.g 248, 249, 250 characters fine - but then
> any longer names "are ignored" in some way.
> 
> Let's assume an EA name of 250 "a" characters.
> That one will be stored.
> 
> Now a NEW EA name with 251 "a" characters is passed.
> It's ignored - NOT even stored!
> 
> When a NEW EA name with 251 "b" characters is now passed,
> it will be stored - BUT only 250 chars are stored!
> 
> Will dig deeper if time allows.
> Btw - i used smbclient's "getea <filename>" to view the stored EAs.
> 
> Cheers, Günter
> 
> ---
> Btw - one would assume when passing EA names which only
> differ in length (above 250), but use the same char (e.g. "a") for the
> whole EA name, are always stored as different names.
> This holds true for OS/2 (which i'm able to check) - but samba only
> stores ONE EA name - sure, due to the "magic" 250 char limit....

did some further digging ...
Oh well - samba is using "fstring" for that eaname storage with FSTRING_LEN 
being 256!
For user xattr that fstring starts with fixed "user." - so anyway only
250 chars are leftover for the _real_ xattr eaname.

From trans2.c -->  set_ea()
....
		fstring unix_eaname;

		fstrcpy(unix_ea_name, "user."); /* All EA's must start with user. */
		fstrcat(unix_ea_name, ea_list->ea.name);

		canonicalize_ea_name(conn, fsp, fname, unix_ea_name);
....

Here the whole xattr fstring is truncated ...
Btw - with a not recent s3 version fstrcat() returned an overrun error.
Now fstrcat is mapped to strlcat, which works silent now...

There are other places which possibly need some checks.

Cheers, Günter

More information about the samba-technical mailing list