[PATCH 0/3] fix incorrect zero length server-side copy request handling

David Disseldorp ddiss at samba.org
Thu Feb 6 12:12:19 MST 2014

Samba currently incorrect handles zero length server-side copy requests
by passing them through to the VFS layer for I/O.

On vfs_default, the IO itself is skipped, but a successful ioctl
response is returned to the client, rather than
NT_STATUS_INVALID_PARAMETER as returned by Windows Server 2012 and
documented in MS-SMB2.

With vfs_btrfs, copy-chunk requests are mapped to BTRFS_IOC_CLONE_RANGE
ioctls. A zero-length request in this case is catastrophic: I recently
discovered Btrfs handles such a case by cloning all data from
source-offset to end-of-file into the destination!

This patch set fixes these issues and adds a test case. Feedback

Cheers, David

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10424

The following changes since commit 0ce46318715577bd8273ed9c0880be54542f227f:

  winbind3: Simplify fillup_pw_field (2014-02-05 13:47:52 +0100)

are available in the git repository at:

  git://git.samba.org/ddiss/samba.git bso10424_zero_length_copychunk

for you to fetch changes up to 9ee6f9fbbe3903dad744502f641d7a6b6bd162dd:

  vfs_btrfs: pass-through copy-chunk(len=0) requests (2014-02-06 19:48:20 +0100)

David Disseldorp (3):
      torture: add zero length FSCTL_SRV_COPYCHUNK test
      smbd/smb2_ioctl: fail zero length copy chunk requests
      vfs_btrfs: pass-through copy-chunk(len=0) requests

 source3/modules/vfs_btrfs.c          | 22 +++++++++++++++++++++-
 source3/smbd/smb2_ioctl_network_fs.c | 17 ++++++++++++++++-
 source4/torture/smb2/ioctl.c         | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 101 insertions(+), 2 deletions(-)

More information about the samba-technical mailing list