From eb8634b2f02bb0134435a964bb9687f0de32b349 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 31 May 2008 13:39:51 +1000 Subject: check for requested buffer size in getinfo call (This used to be commit ed8f16379d01d3dffd2645e2b275aa27507dfec9) --- source4/smb_server/smb2/fileinfo.c | 5 +++++ source4/torture/smb2/getinfo.c | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+) diff --git a/source4/smb_server/smb2/fileinfo.c b/source4/smb_server/smb2/fileinfo.c index 942000133c..6c4b8f33d5 100644 --- a/source4/smb_server/smb2/fileinfo.c +++ b/source4/smb_server/smb2/fileinfo.c @@ -53,6 +53,11 @@ static void smb2srv_getinfo_send(struct ntvfs_request *ntvfs) SMB2SRV_CHECK(op->send_fn(op)); } + if (op->info->in.output_buffer_length < op->info->out.blob.length) { + smb2srv_send_error(req, NT_STATUS_INFO_LENGTH_MISMATCH); + return; + } + SMB2SRV_CHECK(smb2srv_setup_reply(req, 0x08, true, op->info->out.blob.length)); SMB2SRV_CHECK(smb2_push_o16s32_blob(&req->out, 0x02, op->info->out.blob)); diff --git a/source4/torture/smb2/getinfo.c b/source4/torture/smb2/getinfo.c index 906d6e4f8d..5b35d7e693 100644 --- a/source4/torture/smb2/getinfo.c +++ b/source4/torture/smb2/getinfo.c @@ -167,6 +167,40 @@ static bool torture_smb2_fsinfo(struct smb2_tree *tree) } +/* + test for buffer size handling +*/ +static bool torture_smb2_buffercheck(struct smb2_tree *tree) +{ + NTSTATUS status; + struct smb2_handle handle; + struct smb2_getinfo b; + + printf("Testing buffer size handling\n"); + status = smb2_util_roothandle(tree, &handle); + if (!NT_STATUS_IS_OK(status)) { + printf(__location__ " Unable to create root handle - %s\n", nt_errstr(status)); + return false; + } + + ZERO_STRUCT(b); + b.in.info_type = SMB2_GETINFO_FS; + b.in.info_class = 1; + b.in.output_buffer_length = 0x1; + b.in.input_buffer_length = 0; + b.in.file.handle = handle; + + status = smb2_getinfo(tree, tree, &b); + if (!NT_STATUS_EQUAL(status, NT_STATUS_INFO_LENGTH_MISMATCH)) { + printf(__location__ " Wrong error code for small buffer %s\n", + nt_errstr(status)); + return false; + } + + return true; +} + + /* basic testing of all SMB2 getinfo levels */ bool torture_smb2_getinfo(struct torture_context *torture) @@ -196,6 +230,7 @@ bool torture_smb2_getinfo(struct torture_context *torture) ret &= torture_smb2_fileinfo(torture, tree); ret &= torture_smb2_fsinfo(tree); + ret &= torture_smb2_buffercheck(tree); talloc_free(mem_ctx); -- cgit