diff options
author | Andrew Tridgell <tridge@samba.org> | 2009-08-05 20:23:12 +1000 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2009-08-05 20:24:01 +1000 |
commit | 3854b5e6146ff8efeb4379a502bb083cbaa05ce4 (patch) | |
tree | ef46deaa2dadf39bba7b9da8a181520b3ac52db9 | |
parent | 67b6f5784ae8d2e5c5b783b24a4b0ff555a28d44 (diff) | |
download | samba-3854b5e6146ff8efeb4379a502bb083cbaa05ce4.tar.gz samba-3854b5e6146ff8efeb4379a502bb083cbaa05ce4.tar.bz2 samba-3854b5e6146ff8efeb4379a502bb083cbaa05ce4.zip |
changed BCC handling for SMBwriteX to handle broken MacOSX client
see bug #6610
The MacOSX SMB client sets the BCC value in SMBwriteX calls to zero
instead of the correct size. Checking against WindowsXP, I've found
that Windows uses the maximum of the computed buffer size and the
given BCC value. I've changed Samba4 to do the same to allow MacOSX to
work.
I've limited this change to non-chained packets to ensure we don't get
the possibility of exploits based on overlapping chained requests
-rw-r--r-- | source4/smb_server/smb/receive.c | 21 |
1 files changed, 8 insertions, 13 deletions
diff --git a/source4/smb_server/smb/receive.c b/source4/smb_server/smb/receive.c index 03631f8f0b..9a039095e6 100644 --- a/source4/smb_server/smb/receive.c +++ b/source4/smb_server/smb/receive.c @@ -407,19 +407,14 @@ NTSTATUS smbsrv_recv_smb_request(void *private_data, DATA_BLOB blob) req->in.data = req->in.vwv + VWV(req->in.wct) + 2; req->in.data_size = SVAL(req->in.vwv, VWV(req->in.wct)); - /* the bcc length is only 16 bits, but some packets - (such as SMBwriteX) can be much larger than 64k. We - detect this by looking for a large non-chained NBT - packet (at least 64k bigger than what is - specified). If it is detected then the NBT size is - used instead of the bcc size */ - if (req->in.data_size + 0x10000 <= - req->in.size - PTR_DIFF(req->in.data, req->in.buffer) && - ( message_flags(command) & LARGE_REQUEST) && - ( !(message_flags(command) & AND_X) || - (req->in.wct < 1 || SVAL(req->in.vwv, VWV(0)) == SMB_CHAIN_NONE) ) - ) { - /* its an oversized packet! fun for all the family */ + /* special handling for oversize calls. Windows seems + to take the maximum of the BCC value and the + computed buffer size. This handles oversized writeX + calls, and possibly oversized SMBtrans calls */ + if ((message_flags(command) & LARGE_REQUEST) && + ( !(message_flags(command) & AND_X) || + (req->in.wct < 1 || SVAL(req->in.vwv, VWV(0)) == SMB_CHAIN_NONE)) && + req->in.data_size < req->in.size - PTR_DIFF(req->in.data,req->in.buffer)) { req->in.data_size = req->in.size - PTR_DIFF(req->in.data,req->in.buffer); } } |