summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2008-05-31 13:39:51 +1000
committerAndrew Tridgell <tridge@samba.org>2008-05-31 13:39:51 +1000
commiteb8634b2f02bb0134435a964bb9687f0de32b349 (patch)
tree6c602331836e19f6d6315971c412681d951fc49f
parent57b7b0fcf64f9d6d3393ee379f8c34a2c369674c (diff)
downloadsamba-eb8634b2f02bb0134435a964bb9687f0de32b349.tar.gz
samba-eb8634b2f02bb0134435a964bb9687f0de32b349.tar.bz2
samba-eb8634b2f02bb0134435a964bb9687f0de32b349.zip
check for requested buffer size in getinfo call
(This used to be commit ed8f16379d01d3dffd2645e2b275aa27507dfec9)
-rw-r--r--source4/smb_server/smb2/fileinfo.c5
-rw-r--r--source4/torture/smb2/getinfo.c35
2 files changed, 40 insertions, 0 deletions
diff --git a/source4/smb_server/smb2/fileinfo.c b/source4/smb_server/smb2/fileinfo.c
index 942000133c..6c4b8f33d5 100644
--- a/source4/smb_server/smb2/fileinfo.c
+++ b/source4/smb_server/smb2/fileinfo.c
@@ -53,6 +53,11 @@ static void smb2srv_getinfo_send(struct ntvfs_request *ntvfs)
SMB2SRV_CHECK(op->send_fn(op));
}
+ if (op->info->in.output_buffer_length < op->info->out.blob.length) {
+ smb2srv_send_error(req, NT_STATUS_INFO_LENGTH_MISMATCH);
+ return;
+ }
+
SMB2SRV_CHECK(smb2srv_setup_reply(req, 0x08, true, op->info->out.blob.length));
SMB2SRV_CHECK(smb2_push_o16s32_blob(&req->out, 0x02, op->info->out.blob));
diff --git a/source4/torture/smb2/getinfo.c b/source4/torture/smb2/getinfo.c
index 906d6e4f8d..5b35d7e693 100644
--- a/source4/torture/smb2/getinfo.c
+++ b/source4/torture/smb2/getinfo.c
@@ -167,6 +167,40 @@ static bool torture_smb2_fsinfo(struct smb2_tree *tree)
}
+/*
+ test for buffer size handling
+*/
+static bool torture_smb2_buffercheck(struct smb2_tree *tree)
+{
+ NTSTATUS status;
+ struct smb2_handle handle;
+ struct smb2_getinfo b;
+
+ printf("Testing buffer size handling\n");
+ status = smb2_util_roothandle(tree, &handle);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf(__location__ " Unable to create root handle - %s\n", nt_errstr(status));
+ return false;
+ }
+
+ ZERO_STRUCT(b);
+ b.in.info_type = SMB2_GETINFO_FS;
+ b.in.info_class = 1;
+ b.in.output_buffer_length = 0x1;
+ b.in.input_buffer_length = 0;
+ b.in.file.handle = handle;
+
+ status = smb2_getinfo(tree, tree, &b);
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_INFO_LENGTH_MISMATCH)) {
+ printf(__location__ " Wrong error code for small buffer %s\n",
+ nt_errstr(status));
+ return false;
+ }
+
+ return true;
+}
+
+
/* basic testing of all SMB2 getinfo levels
*/
bool torture_smb2_getinfo(struct torture_context *torture)
@@ -196,6 +230,7 @@ bool torture_smb2_getinfo(struct torture_context *torture)
ret &= torture_smb2_fileinfo(torture, tree);
ret &= torture_smb2_fsinfo(tree);
+ ret &= torture_smb2_buffercheck(tree);
talloc_free(mem_ctx);