Bug in Samba's implementation of FSCTL_QUERY_ALLOCATED_RANGES?

[Jeremy Allison]

On Thu, May 23, 2024 at 12:28:35PM -0300, Paulo Alcantara wrote:
>Tom Talpey <tom at talpey.com> writes:
>
>> Yeah, I think this is a Samba server issue. Ronnie is right that it
>> should return a partial response and a STATUS_BUFFER_OVERFLOW error
>> indicating that it's partial. It's not supposed to return
>> STATUS_BUFFER_TOO_SMALL unless the entire buffer is less than one
>> entry.
>>
>> MS-FSA section 2.5.10.22
>>
>> https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fsa/385dec98-90fe-477f-9789-20a47a7b8467
>
>Yes.  I've just tested it against Windows Server 2022 and it correctly
>returns STATUS_BUFFER_OVERFLOW.

Bug is in fsctl_qar():

         ndr_ret = ndr_push_struct_blob(out_output, mem_ctx, &qar_rsp,
                 (ndr_push_flags_fn_t)ndr_push_fsctl_query_alloced_ranges_rsp);
         if (ndr_ret != NDR_ERR_SUCCESS) {
                 DEBUG(0, ("failed to marshall QAR rsp\n"));
                 return NT_STATUS_INVALID_PARAMETER;
         }

         if (out_output->length > in_max_output) {
                 DEBUG(2, ("QAR output len %lu exceeds max %lu\n",
                           (unsigned long)out_output->length,
                           (unsigned long)in_max_output));
                 data_blob_free(out_output);
                 return NT_STATUS_BUFFER_TOO_SMALL;
         }

I'm guessing in this case we need to just truncate out_output->length
to in_max_output and return STATUS_BUFFER_OVERFLOW.