[PATCH][CIFS] Workaround MacOS server problem with SMB2.1 write response

Jeff Layton jeff.layton at primarydata.com
Thu Aug 14 14:40:14 MDT 2014

On Thu, 14 Aug 2014 15:26:41 -0500
Steve French <smfrench at gmail.com> wrote:

> On Thu, Aug 14, 2014 at 2:35 PM, Jeremy Allison <jra at samba.org> wrote:
> > On Thu, Aug 14, 2014 at 03:30:15PM -0400, Jeff Layton wrote:
> >>
> >> Not directly related to this patch, but...
> >>
> >> What's the story behind the check above? Allowing the server to overrun
> >> the rfc1001 length by one byte seems dangerous...
> >
> > I vaguely remember a NetApp bug :-).
> >
> >> I don't understand the rationale for the arbitrary 15 byte limit. At
> >> this point, you've already received the data. If there's extra junk at
> >> the end, do you really care? I'd just ensure that clc_len fits within
> >> the rfc1001 len and leave it at that.
> >
> > +1 on this. No arbitrary limits please. If you're going
> > to ignore data after the valid packet, ignore everything
> > up to the rfc1001 length please. Only ignoring 15 bytes
> > doesn't make sense. Why 15 ? Why not 27 ?
> Mac is the only one with the length problem for SMB2 (actually SMB2.1), and
> is 3 bytes over and only on one frame.  I am ok with doing the safest,
> smallest fix (3 bytes) that gets it working.
> But I don't like the idea of arbitrary screwed up RFC1001 length,
> at worst I would prefer that we stay well within
> MAX_SMB2_HDR_SIZE which is 0x78 (or about 0x30 bytes for a minimum
> SMB2 response)
> and certainly should never allow a RFC1001 length error to cause us to
> alloc out of the
> large buffer pool (although that would require a huge rounding error).
> I also don't
> like the idea of unverified data being sent to the client kernel (in
> the space between
> the end of the SMB3 response and the end of the TCP data).  Don't want
> someone creative sticking code there.
> I am fine with increasing it to only address the mac bug (ie 3 bytes)
> or anything up to
> 0x30 bytes, but it complicates error checking if the RFC1001 length
> can be off by
> arbitrary amounts.  Realistically it is hard to imagine rounding
> errors more than
> sizeof(double) or 8 bytes.
> The safest change is to only address the mac server bug (allow 3 bytes off).

Failing here won't change the buffer allocation. That buffer has
already been allocated, and the receive is complete at this point. So
any "damage" has already been done.

So, I just don't get why you'd bother with an arbitrary limit at all.
The error checking is _simpler_ if you don't bother with this limit. Or
am I missing something here?

Jeff Layton <jlayton at primarydata.com>

More information about the samba-technical mailing list