Padding byte in cifs readx response

Wed Jul 30 17:34:45 MDT 2014

On Wed, Jul 30, 2014 at 04:34:01PM -0700, Christof Schmitt wrote:
> It was pointed out to me that a padding byte in the readx response is
> missing:
> 
> http://msdn.microsoft.com/en-us/library/ee441872.aspx
>  Pad (1 byte): This field is optional. When using the NT LAN Manager
> dialect, this field can be used to align the Data field to a 16-bit
> boundary relative to the start of the SMB Header. If Unicode strings are
> being used, this field MUST be present. When used, this field MUST be
> one padding byte long.
> 
> I wrote a simple test for this, and it succeeds against a Windows 7 and
> fails in
> make test TESTS=raw.read
> 
> UNEXPECTED(failure): samba3.raw.read.readx(s3dc)
> REASON: _StringException: _StringException:
> ../source4/torture/raw/read.c:441: data not 16 bit aligned
> envlog: SMBD LOG of: LOCALS3DC2

Resending with the patch attached.

Christof
-------------- next part --------------
>From db3031af7a1e59cbbdab16fc6624517a6073d811 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs at samba.org>
Date: Tue, 29 Jul 2014 13:39:57 -0700
Subject: [PATCH] torture: Add test for 16 bit alignment of readx data

MS-CIFS requires a one byte pad to guarantee 16 bit alignment of the
data:

Pad (1 byte): This field is optional. When using the NT LAN Manager
dialect, this field can be used to align the Data field to a 16-bit
boundary relative to the start of the SMB Header. If Unicode strings are
being used, this field MUST be present. When used, this field MUST be
one padding byte long.
---
 source4/libcli/raw/interfaces.h   |    2 ++
 source4/libcli/raw/rawreadwrite.c |    2 ++
 source4/torture/raw/read.c        |    6 ++++++
 3 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/source4/libcli/raw/interfaces.h b/source4/libcli/raw/interfaces.h
index 12c0377..9003c12 100644
--- a/source4/libcli/raw/interfaces.h
+++ b/source4/libcli/raw/interfaces.h
@@ -1809,6 +1809,8 @@ union smb_read {
 			uint16_t remaining;
 			uint16_t compaction_mode;
 			uint32_t nread;
+			uint16_t flags2;
+			uint16_t data_offset;
 		} out;
 	} readx, generic;
 
diff --git a/source4/libcli/raw/rawreadwrite.c b/source4/libcli/raw/rawreadwrite.c
index d3f5518..fb44ba4 100644
--- a/source4/libcli/raw/rawreadwrite.c
+++ b/source4/libcli/raw/rawreadwrite.c
@@ -155,6 +155,8 @@ _PUBLIC_ NTSTATUS smb_raw_read_recv(struct smbcli_request *req, union smb_read *
 		parms->readx.out.remaining       = SVAL(req->in.vwv, VWV(2));
 		parms->readx.out.compaction_mode = SVAL(req->in.vwv, VWV(3));
 		parms->readx.out.nread = SVAL(req->in.vwv, VWV(5));
+		parms->readx.out.flags2 = req->flags2;
+		parms->readx.out.data_offset = SVAL(req->in.vwv, VWV(6));
 
 		/* handle oversize replies for non-chained readx replies with
 		   CAP_LARGE_READX. The snia spec has must to answer for. */
diff --git a/source4/torture/raw/read.c b/source4/torture/raw/read.c
index 59089bf..148df3b 100644
--- a/source4/torture/raw/read.c
+++ b/source4/torture/raw/read.c
@@ -435,6 +435,12 @@ static bool test_readx(struct torture_context *tctx, struct smbcli_state *cli)
 		goto done;
 	}
 
+	if ((io.readx.out.flags2 & FLAGS2_UNICODE_STRINGS) &&
+	    (io.readx.out.data_offset % 2 != 0)) {
+		ret = false;
+		torture_fail_goto(tctx, done, "data not 16 bit aligned\n");
+	}
+
 	printf("Trying short read\n");
 	io.readx.in.offset = 1;
 	io.readx.in.mincnt = strlen(test_data);
-- 
1.7.1

