[PATCH 2/3] smbd/smb2_ioctl: fail zero length copy chunk requests
David Disseldorp
ddiss at samba.org
Thu Feb 6 12:12:21 MST 2014
As documented in MS-SMB2 3.3.5.15.6 Handling a Server-Side Data Copy
Request, an invalid parameter response should be sent when:
The Length value in a single chunk is greater than
ServerSideCopyMaxChunkSize or *equal to zero*.
We do not currently abide by the latter part of this clause.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10424
Signed-off-by: David Disseldorp <ddiss at samba.org>
---
source3/smbd/smb2_ioctl_network_fs.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/source3/smbd/smb2_ioctl_network_fs.c b/source3/smbd/smb2_ioctl_network_fs.c
index a1d67f8..986e97d 100644
--- a/source3/smbd/smb2_ioctl_network_fs.c
+++ b/source3/smbd/smb2_ioctl_network_fs.c
@@ -46,16 +46,31 @@ static NTSTATUS copychunk_check_limits(struct srv_copychunk_copy *cc_copy)
uint32_t i;
uint32_t total_len = 0;
+ /*
+ * [MS-SMB2] 3.3.5.15.6 Handling a Server-Side Data Copy Request
+ * Send and invalid parameter response if:
+ * - The ChunkCount value is greater than
+ * ServerSideCopyMaxNumberofChunks
+ */
if (cc_copy->chunk_count > COPYCHUNK_MAX_CHUNKS) {
return NT_STATUS_INVALID_PARAMETER;
}
for (i = 0; i < cc_copy->chunk_count; i++) {
- if (cc_copy->chunks[i].length > COPYCHUNK_MAX_CHUNK_LEN) {
+ /*
+ * - The Length value in a single chunk is greater than
+ * ServerSideCopyMaxChunkSize or equal to zero.
+ */
+ if ((cc_copy->chunks[i].length == 0)
+ || (cc_copy->chunks[i].length > COPYCHUNK_MAX_CHUNK_LEN)) {
return NT_STATUS_INVALID_PARAMETER;
}
total_len += cc_copy->chunks[i].length;
}
+ /*
+ * - Sum of Lengths in all chunks is greater than
+ * ServerSideCopyMaxDataSize
+ */
if (total_len > COPYCHUNK_MAX_TOTAL_LEN) {
return NT_STATUS_INVALID_PARAMETER;
}
--
1.8.4.5
More information about the samba-technical
mailing list