[PATCH] Fix SMB2 issues found by Microsoft plugfest test tool.
Jeremy Allison
jra at samba.org
Tue Jun 17 16:53:17 MDT 2014
On Tue, Jun 17, 2014 at 01:01:44PM -0700, Ira Cooper wrote:
> yay!
>
> Reviewed-by: Ira Cooper <ira at samba.org>
sigh. Turns out that the test:
ource4/torture/smb2/durable_open.c:597: Incorrect status
NT_STATUS_BAD_IMPERSONATION_LEVEL - should be NT_STATUS_OK
shows we must only do the impersonation level
check on a *real* open, not on a durable handle
reopen, so move the check for invalid
impersonation level to the branch where
we're doing the real open.
Now passes local make test :-).
Updated patchset attached !
Jeremy.
-------------- next part --------------
>From 867babe9dc29d8d899327b18b02a9bb9fc19ea9c Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Mon, 16 Jun 2014 14:05:18 -0700
Subject: [PATCH 1/4] s3: smb2 - Negprot should return INVALID_PARAMETER if
flags2 signed bit is set.
MS-SMB2: 3.3.5.2.4 Verifying the Signature.
If the SMB2 header of the SMB2 NEGOTIATE
request has the SMB2_FLAGS_SIGNED bit set in the
Flags field, the server MUST fail the request
with STATUS_INVALID_PARAMETER.
Found and fix confirmed by Microsoft test tool.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ira Cooper <ira at samba.org>
---
source3/smbd/smb2_server.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index 69fe9e4..166fb6b 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -2034,8 +2034,23 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
DATA_BLOB signing_key;
if (x == NULL) {
- return smbd_smb2_request_error(
- req, NT_STATUS_USER_SESSION_DELETED);
+ /*
+ * MS-SMB2: 3.3.5.2.4 Verifying the Signature.
+ * If the SMB2 header of the SMB2 NEGOTIATE
+ * request has the SMB2_FLAGS_SIGNED bit set in the
+ * Flags field, the server MUST fail the request
+ * with STATUS_INVALID_PARAMETER.
+ *
+ * Microsoft test tool checks this.
+ */
+
+ if ((opcode == SMB2_OP_NEGPROT) &&
+ (flags & SMB2_HDR_FLAG_SIGNED)) {
+ status = NT_STATUS_INVALID_PARAMETER;
+ } else {
+ status = NT_STATUS_USER_SESSION_DELETED;
+ }
+ return smbd_smb2_request_error(req, status);
}
signing_key = x->global->channels[0].signing_key;
--
1.9.1
>From 1f17a413e826012353e2701c8ff92c103a675931 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Mon, 16 Jun 2014 14:13:02 -0700
Subject: [PATCH 2/4] s3: smb2 - Check supplied impersonation level on
SMB2_CREATE.
MS-SMB2: 2.2.13 SMB2 CREATE Request
ImpersonationLevel ... MUST contain one of the following values.
The server MUST validate this field, but otherwise ignore it.
NB. source4/torture/smb2/durable_open.c shows that
this check is only done on real opens, not on durable
handle reopens.
Found and fix confirmed by Microsoft test tool.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ira Cooper <ira at samba.org>
---
source3/smbd/smb2_create.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/source3/smbd/smb2_create.c b/source3/smbd/smb2_create.c
index 4e82e2c..4bb28d4 100644
--- a/source3/smbd/smb2_create.c
+++ b/source3/smbd/smb2_create.c
@@ -904,6 +904,24 @@ static struct tevent_req *smbd_smb2_create_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
+ /*
+ * MS-SMB2: 2.2.13 SMB2 CREATE Request
+ * ImpersonationLevel ... MUST contain one of the
+ * following values. The server MUST validate this
+ * field, but otherwise ignore it.
+ *
+ * NB. The source4/torture/smb2/durable_open.c test
+ * shows this check is only done on real opens, not
+ * on durable handle-reopens.
+ */
+
+ if (in_impersonation_level >
+ SMB2_IMPERSONATION_DELEGATE) {
+ tevent_req_nterror(req,
+ NT_STATUS_BAD_IMPERSONATION_LEVEL);
+ return tevent_req_post(req, ev);
+ }
+
status = SMB_VFS_CREATE_FILE(smb1req->conn,
smb1req,
0, /* root_dir_fid */
--
1.9.1
>From 95f3ea56c7476f008dfde9276f78ea8491942b89 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Mon, 16 Jun 2014 14:28:11 -0700
Subject: [PATCH 3/4] s3: smb2 - strictly obey file name restrictions w.r.t.
the SMB2 protocol spec.
MS-SMB2: 3.3.5.9 - Receiving an SMB2 CREATE Request
If the file name length is greater than zero and the
first character is a path separator character, the
server MUST fail the request with
STATUS_INVALID_PARAMETER.
Found and fix confirmed by Microsoft test tool.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ira Cooper <ira at samba.org>
---
source3/smbd/smb2_create.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/source3/smbd/smb2_create.c b/source3/smbd/smb2_create.c
index 4bb28d4..4e2e6bc 100644
--- a/source3/smbd/smb2_create.c
+++ b/source3/smbd/smb2_create.c
@@ -922,6 +922,22 @@ static struct tevent_req *smbd_smb2_create_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
+ /*
+ * We know we're going to do a local open, so now
+ * we must be protocol strict. JRA.
+ *
+ * MS-SMB2: 3.3.5.9 - Receiving an SMB2 CREATE Request
+ * If the file name length is greater than zero and the
+ * first character is a path separator character, the
+ * server MUST fail the request with
+ * STATUS_INVALID_PARAMETER.
+ */
+ if (in_name[0] == '\\' || in_name[0] == '/') {
+ tevent_req_nterror(req,
+ NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+
status = SMB_VFS_CREATE_FILE(smb1req->conn,
smb1req,
0, /* root_dir_fid */
--
1.9.1
>From 24c4254b4ac392fdd5bb2453357db45b48a2a163 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Tue, 17 Jun 2014 12:49:11 -0700
Subject: [PATCH 4/4] s3: torture test. We now pass
"samba3.smb2.create.leading-slash" so remove from knownfail.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ira Cooper <ira at samba.org>
---
selftest/knownfail | 1 -
1 file changed, 1 deletion(-)
diff --git a/selftest/knownfail b/selftest/knownfail
index 531d51b..9d1f3c3 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -180,7 +180,6 @@
^samba3.smb2.create.gentest
^samba3.smb2.create.blob
^samba3.smb2.create.open
-^samba3.smb2.create.leading-slash
^samba3.smb2.notify.valid-req
^samba3.smb2.notify.dir
^samba3.smb2.notify.rec
--
1.9.1
More information about the samba-technical
mailing list