[Samba] cli_smb2_dskattr() returning with NT_STATUS_INVALID_NETWORK_RESPONSE with blob length 65535
Rowland penny
rpenny at samba.org
Mon May 10 16:27:32 UTC 2021
On 10/05/2021 16:54, Tompkins, Michael via samba wrote:
> We have found that in one case we are getting:
> GetInfo Response (0x10)
> ...
> StructureSize: 0x0009
> 0000 0000 0000 1000. = Fixed Part Length: 4
> .... .... .... ...1 = Dynamic Part: True
> Blob Offset: 0x00000048
> Blob Length: 65535
>
> In samba-4.7.5/source3/libsmb/cli_smb2_fnum.c, function: cli_smb2_dskattr() we see:
>
> 1943 /* getinfo on the returned handle with info_type SMB2_GETINFO_FS (2),
> 1944 level 3 (SMB_FS_SIZE_INFORMATION). */
> 1945
> 1946 status = smb2cli_query_info(cli->conn,
> 1947 cli->timeout,
> 1948 cli->smb2.session,
> 1949 cli->smb2.tcon,
> 1950 2, /* in_info_type */
> 1951 3, /* in_file_info_class */
> 1952 0xFFFF, /* in_max_output_length */
> 1953 NULL, /* in_input_buffer */
> 1954 0, /* in_additional_info */
> 1955 0, /* in_flags */
> 1956 ph->fid_persistent,
> 1957 ph->fid_volatile,
> 1958 frame,
> 1959 &outbuf);
> 1960 if (!NT_STATUS_IS_OK(status)) {
> 1961 goto fail;
> 1962 }
> 1963
> 1964 /* Parse the reply. */
> 1965 if (outbuf.length != 24) {
> 1966 status = NT_STATUS_INVALID_NETWORK_RESPONSE;
> 1967 goto fail;
> 1968 }
> 1969
>
> So we decided to try change it to:
>
> + if (outbuf.length < 24) {
> + status = NT_STATUS_INVALID_NETWORK_RESPONSE;
> + goto fail;
> + }
>
> And the transfer passed. This was in 4.7.5 but we see the same logic exists in 4.12.x ... So do you think this is a valid change ? Is 65535 an expected valid return ? Is it indicating something ? Have you seen other cases where the blob length may not be 24 ? Your feedback would be great appreciated.
>
> Mike
>
Can you try a 4.14.x version, the code appears to have changed, it is
now 'status = cli_smb2_query_info_fnum'
Rowland
More information about the samba
mailing list