[Samba] Re: Test Failure for RW1 with samba-3.0.30, Solaris 9

David Eisner deisner at gmail.com
Mon Jun 2 23:22:09 GMT 2008 

Hmm, I wonder if this isn't a bug with the fix for CVE-2008-1105.

I'll add a bug (to the 717 [1] "NEW" bugs for Samba 3.0 ...), but
here's what seems to be going on at a low level:

When the client state is setup in run_readwritetest() by way of
torture_open_connection(), cli_state->bufsize gets set to
CLI_SAMBA_MAX_LARGE_READX_SIZE, which is defined to be 127*1024 ==
130048.

During the rw_torture2 iteration that breaks the test,
send_file_readX() in smbd/reply.c calculates the packet length to
send:

    nread = read_file(fsp,data,startpos,smb_maxcnt);
    // ...

    outsize = set_message(outbuf,12,nread,False);
    // ...

    /* Returning the number of bytes we want to send back - including header. */
    return outsize;
}

When RW1 fails, nread == 130048 (which is
CLI_SAMBA_MAX_LARGE_READX_SIZE), and outsize is set by set_message()
to be 39 + 2x12 + nread == 130111.

Later on, construct_reply reduces this by 4, and I think this becomes
the length of the reply packet:

  static int construct_reply(char *inbuf,char *outbuf,int size,int bufsize)
  {
      // ...
      if(outsize > 4)
          smb_setlen(outbuf,outsize - 4);
      return(outsize);
  }

Now the length stored in the packet is 130111 - 4 == 130107

Back on the client side, receive_smb_raw()  (in lib/util_sock.c) is unhappy:

  BOOL receive_smb_raw(int fd, char *buffer, size_t buflen, unsigned
int timeout)
  {
      // ...
      len = read_smb_length_return_keepalive(fd,buffer,timeout);
      // ...
      if (len > buflen) {
          DEBUG(0,("Invalid packet length! (%lu bytes).\n",(unsigned long)len));
      //...

And here's the output (I added a debugging statement to also print buflen:

##DRE: receive_smb_raw: Invalid packet length! len == (130107 bytes),
buflen == (130048).

That is, it's complaining because 130107, the length reported in the
reply packet header (I think), is larger than bufsize for the client
state.  As to where the real problem is (i.e. does receive_smb_raw()
need to do something with len before comparing it with buflen), I
can't say.

-David

[1] http://preview.tinyurl.com/6g6axu

More information about the samba mailing list