From 275f32ae2df333c089343dd20fc4efee1bed2b7b Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 14 Apr 2008 11:31:17 +0200 Subject: fill in unknown fields in SMB2 READ call (This used to be commit 9b686c138037f613da15168d0722786e00f023e5) --- source4/smb_server/smb2/fileio.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'source4/smb_server') diff --git a/source4/smb_server/smb2/fileio.c b/source4/smb_server/smb2/fileio.c index 0e3df56b42..8f8b4e771c 100644 --- a/source4/smb_server/smb2/fileio.c +++ b/source4/smb_server/smb2/fileio.c @@ -167,7 +167,8 @@ static void smb2srv_read_send(struct ntvfs_request *ntvfs) /* TODO: avoid the memcpy */ SMB2SRV_CHECK(smb2_push_o16s32_blob(&req->out, 0x02, io->smb2.out.data)); - SBVAL(req->out.body, 0x08, io->smb2.out.unknown1); + SIVAL(req->out.body, 0x08, io->smb2.out.remaining); + SIVAL(req->out.body, 0x0C, io->smb2.out.reserved); smb2srv_send_reply(req); } @@ -185,8 +186,11 @@ void smb2srv_read_recv(struct smb2srv_request *req) io->smb2.in.length = IVAL(req->in.body, 0x04); io->smb2.in.offset = BVAL(req->in.body, 0x08); io->smb2.in.file.ntvfs = smb2srv_pull_handle(req, req->in.body, 0x10); - io->smb2.in.unknown1 = BVAL(req->in.body, 0x20); - io->smb2.in.unknown2 = BVAL(req->in.body, 0x28); + io->smb2.in.min_count = IVAL(req->in.body, 0x20); + io->smb2.in.channel = IVAL(req->in.body, 0x24); + io->smb2.in.remaining = IVAL(req->in.body, 0x28); + io->smb2.in.channel_offset = SVAL(req->in.body, 0x2C); + io->smb2.in.channel_length = SVAL(req->in.body, 0x2E); SMB2SRV_CHECK_FILE_HANDLE(io->smb2.in.file.ntvfs); -- cgit From e9017ba418202b4b191c5a9ad4a96857558ce606 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 14 Apr 2008 17:22:58 +0200 Subject: Use _OBJ_FILES variables in a couple more places. (This used to be commit 92856d5054106894b65cd1a1b5119c0facfc4cff) --- source4/smb_server/config.mk | 16 +++++++++------- source4/smb_server/smb/config.mk | 14 ++++++++------ source4/smb_server/smb2/config.mk | 14 ++++++++------ 3 files changed, 25 insertions(+), 19 deletions(-) (limited to 'source4/smb_server') diff --git a/source4/smb_server/config.mk b/source4/smb_server/config.mk index 85c969df59..8b6ae308f9 100644 --- a/source4/smb_server/config.mk +++ b/source4/smb_server/config.mk @@ -3,19 +3,14 @@ [MODULE::SERVICE_SMB] INIT_FUNCTION = server_service_smb_init SUBSYSTEM = service -OBJ_FILES = smb_server.o PRIVATE_PROTO_HEADER = service_smb_proto.h PRIVATE_DEPENDENCIES = SMB_SERVER +SERVICE_SMB_OBJ_FILES = smb_server/smb_server.o + ####################### # Start SUBSYSTEM SMB [SUBSYSTEM::SMB_SERVER] -OBJ_FILES = \ - handle.o \ - tcon.o \ - session.o \ - blob.o \ - management.o PRIVATE_PROTO_HEADER = smb_server_proto.h PUBLIC_DEPENDENCIES = \ share \ @@ -25,5 +20,12 @@ PUBLIC_DEPENDENCIES = \ # End SUBSYSTEM SMB ####################### +SMB_SERVER_OBJ_FILES = $(addprefix smb_server/, \ + handle.o \ + tcon.o \ + session.o \ + blob.o \ + management.o) + mkinclude smb/config.mk mkinclude smb2/config.mk diff --git a/source4/smb_server/smb/config.mk b/source4/smb_server/smb/config.mk index 7927f295b9..3d4aa8ba38 100644 --- a/source4/smb_server/smb/config.mk +++ b/source4/smb_server/smb/config.mk @@ -2,7 +2,12 @@ # Start SUBSYSTEM SMB_PROTOCOL [SUBSYSTEM::SMB_PROTOCOL] PRIVATE_PROTO_HEADER = smb_proto.h -OBJ_FILES = \ +PUBLIC_DEPENDENCIES = \ + ntvfs LIBPACKET CREDENTIALS +# End SUBSYSTEM SMB_PROTOCOL +####################### + +SMB_PROTOCOL_OBJ_FILES = $(addprefix smb_server/smb/, \ receive.o \ negprot.o \ nttrans.o \ @@ -13,8 +18,5 @@ OBJ_FILES = \ sesssetup.o \ srvtime.o \ trans2.o \ - signing.o -PUBLIC_DEPENDENCIES = \ - ntvfs LIBPACKET CREDENTIALS -# End SUBSYSTEM SMB_PROTOCOL -####################### + signing.o) + diff --git a/source4/smb_server/smb2/config.mk b/source4/smb_server/smb2/config.mk index d5ba43b3a8..c9ba3269fa 100644 --- a/source4/smb_server/smb2/config.mk +++ b/source4/smb_server/smb2/config.mk @@ -2,7 +2,12 @@ # Start SUBSYSTEM SMB2_PROTOCOL [SUBSYSTEM::SMB2_PROTOCOL] PRIVATE_PROTO_HEADER = smb2_proto.h -OBJ_FILES = \ +PUBLIC_DEPENDENCIES = \ + ntvfs LIBPACKET LIBCLI_SMB2 +# End SUBSYSTEM SMB2_PROTOCOL +####################### + +SMB2_PROTOCOL_OBJ_FILES = $(addprefix smb_server/smb2/, \ receive.o \ negprot.o \ sesssetup.o \ @@ -10,8 +15,5 @@ OBJ_FILES = \ fileio.o \ fileinfo.o \ find.o \ - keepalive.o -PUBLIC_DEPENDENCIES = \ - ntvfs LIBPACKET LIBCLI_SMB2 -# End SUBSYSTEM SMB2_PROTOCOL -####################### + keepalive.o) + -- cgit From 79b2980cf5de19c682d30025f29a421a4b656cf6 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Apr 2008 19:26:52 +0200 Subject: smb_server/smb2: initialize new create.in.blobs element untill it'll be supported metze (This used to be commit fbfbd74e65b1f3e185f08a538bdd50ba7c6ce9bf) --- source4/smb_server/smb2/fileio.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/smb_server') diff --git a/source4/smb_server/smb2/fileio.c b/source4/smb_server/smb2/fileio.c index 8f8b4e771c..af1a413009 100644 --- a/source4/smb_server/smb2/fileio.c +++ b/source4/smb_server/smb2/fileio.c @@ -79,6 +79,7 @@ void smb2srv_create_recv(struct smb2srv_request *req) SMB2SRV_CHECK(smb2_pull_o32s32_blob(&req->in, io, req->in.body+0x30, &blob)); /* TODO: parse the blob */ ZERO_STRUCT(io->smb2.in.eas); + ZERO_STRUCT(io->smb2.in.blobs); /* the VFS backend does not yet handle NULL filenames */ if (io->smb2.in.fname == NULL) { -- cgit From 769ebe91711330d5b75f9632c2b1d1847dd32a15 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 17 Apr 2008 09:37:29 +0200 Subject: make smb2 read and write size configurable (This used to be commit 2090e75e0c28f8d2aada305059bdb455f42ed0d5) --- source4/smb_server/smb2/negprot.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'source4/smb_server') diff --git a/source4/smb_server/smb2/negprot.c b/source4/smb_server/smb2/negprot.c index e7352f7c42..4479ae2da1 100644 --- a/source4/smb_server/smb2/negprot.c +++ b/source4/smb_server/smb2/negprot.c @@ -114,9 +114,12 @@ static NTSTATUS smb2srv_negprot_backend(struct smb2srv_request *req, struct smb2 io->out.security_mode = 0; /* no signing yet */ io->out.dialect_revision = SMB2_DIALECT_REVISION; io->out.capabilities = 0; - io->out.max_transact_size = 0x10000; - io->out.max_read_size = 0x10000; - io->out.max_write_size = 0x10000; + io->out.max_transact_size = lp_parm_ulong(req->smb_conn->lp_ctx, NULL, + "smb2", "max transaction size", 0x10000); + io->out.max_read_size = lp_parm_ulong(req->smb_conn->lp_ctx, NULL, + "smb2", "max read size", 0x10000); + io->out.max_write_size = lp_parm_ulong(req->smb_conn->lp_ctx, NULL, + "smb2", "max write size", 0x10000); io->out.system_time = timeval_to_nttime(¤t_time); io->out.server_start_time = timeval_to_nttime(&boot_time); io->out.reserved2 = 0; -- cgit From 21fc7673780aa1d7c0caab7b17ff9171238913ba Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 17 Apr 2008 12:23:44 +0200 Subject: Specify event_context to ldb_wrap_connect explicitly. (This used to be commit b4e1ae07a284c044704322446c94351c2decff91) --- source4/smb_server/smb/sesssetup.c | 5 +++-- source4/smb_server/smb_server.c | 3 ++- 2 files changed, 5 insertions(+), 3 deletions(-) (limited to 'source4/smb_server') diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c index de2141b808..2c4068bda5 100644 --- a/source4/smb_server/smb/sesssetup.c +++ b/source4/smb_server/smb/sesssetup.c @@ -70,7 +70,7 @@ static void sesssetup_old_send(struct auth_check_password_request *areq, if (!NT_STATUS_IS_OK(status)) goto failed; /* This references server_info into session_info */ - status = auth_generate_session_info(req, req->smb_conn->lp_ctx, + status = auth_generate_session_info(req, req->smb_conn->connection->event.ctx, req->smb_conn->lp_ctx, server_info, &session_info); if (!NT_STATUS_IS_OK(status)) goto failed; @@ -166,7 +166,8 @@ static void sesssetup_nt1_send(struct auth_check_password_request *areq, if (!NT_STATUS_IS_OK(status)) goto failed; /* This references server_info into session_info */ - status = auth_generate_session_info(req, req->smb_conn->lp_ctx, + status = auth_generate_session_info(req, req->smb_conn->connection->event.ctx, + req->smb_conn->lp_ctx, server_info, &session_info); if (!NT_STATUS_IS_OK(status)) goto failed; diff --git a/source4/smb_server/smb_server.c b/source4/smb_server/smb_server.c index 4f8e628f74..367557dbb7 100644 --- a/source4/smb_server/smb_server.c +++ b/source4/smb_server/smb_server.c @@ -157,6 +157,7 @@ static void smbsrv_accept(struct stream_connection *conn) smbsrv_management_init(smb_conn); if (!NT_STATUS_IS_OK(share_get_context_by_name(smb_conn, lp_share_backend(smb_conn->lp_ctx), + smb_conn->connection->event.ctx, smb_conn->lp_ctx, &(smb_conn->share_context)))) { smbsrv_terminate_connection(smb_conn, "share_init failed!"); return; @@ -206,7 +207,7 @@ static void smbsrv_preopen_ldb(struct task_server *task) /* yes, this looks strange. It is a hack to preload the schema. I'd like to share most of the ldb context with the child too. That will come later */ - talloc_free(samdb_connect(task, task->lp_ctx, NULL)); + talloc_free(samdb_connect(task, task->event_ctx, task->lp_ctx, NULL)); } /* -- cgit From 11703b298685c9984a6a3c3a64eddb8a1a516b90 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 17 Apr 2008 15:20:39 +0200 Subject: fix the overflow/wrap checks in Samba4 for new gcc optimisation behavior The approach I have used is as set out in https://www.securecoding.cert.org/confluence/display/seccode/ARR38-C.+Do+not+add+or+subtract+an+integer+to+a+pointer+if+the+resulting+value+does+not+refer+to+an+element+within+the+array (This used to be commit 92d5fb531db39be655f0cbd2d75b5f675a0a4cfa) --- source4/smb_server/smb/request.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/smb_server') diff --git a/source4/smb_server/smb/request.c b/source4/smb_server/smb/request.c index 87073517dd..c7fa2d7d8a 100644 --- a/source4/smb_server/smb/request.c +++ b/source4/smb_server/smb/request.c @@ -651,10 +651,10 @@ bool req_data_oob(struct request_bufinfo *bufinfo, const uint8_t *ptr, uint32_t } /* be careful with wraparound! */ - if (ptr < bufinfo->data || - ptr >= bufinfo->data + bufinfo->data_size || + if ((uintptr_t)ptr < (uintptr_t)bufinfo->data || + (uintptr_t)ptr >= (uintptr_t)bufinfo->data + bufinfo->data_size || count > bufinfo->data_size || - ptr + count > bufinfo->data + bufinfo->data_size) { + (uintptr_t)ptr + count > (uintptr_t)bufinfo->data + bufinfo->data_size) { return true; } return false; -- cgit From 908d8daa213ecc9b3207d0573e9688ef0939b8f6 Mon Sep 17 00:00:00 2001 From: Amin Azez Date: Mon, 10 Mar 2008 10:03:38 +0000 Subject: Re-order smbsrv_recv_smb_request and smb_messages No functional change, just re-ordering so that smbsrv_recv_smb_request can refer to smb_messages in a future patch (This used to be commit d06eafea1a3e7fa61c94492cf504e6fd81da861d) --- source4/smb_server/smb/receive.c | 198 +++++++++++++++++++-------------------- 1 file changed, 99 insertions(+), 99 deletions(-) (limited to 'source4/smb_server') diff --git a/source4/smb_server/smb/receive.c b/source4/smb_server/smb/receive.c index e3d247cbc0..b11682d158 100644 --- a/source4/smb_server/smb/receive.c +++ b/source4/smb_server/smb/receive.c @@ -65,105 +65,6 @@ NTSTATUS smbsrv_send_oplock_break(void *p, struct ntvfs_handle *ntvfs, uint8_t l static void switch_message(int type, struct smbsrv_request *req); -/**************************************************************************** -receive a SMB request header from the wire, forming a request_context -from the result -****************************************************************************/ -NTSTATUS smbsrv_recv_smb_request(void *private, DATA_BLOB blob) -{ - struct smbsrv_connection *smb_conn = talloc_get_type(private, struct smbsrv_connection); - struct smbsrv_request *req; - struct timeval cur_time = timeval_current(); - uint8_t command; - - smb_conn->statistics.last_request_time = cur_time; - - /* see if its a special NBT packet */ - if (CVAL(blob.data, 0) != 0) { - req = smbsrv_init_request(smb_conn); - NT_STATUS_HAVE_NO_MEMORY(req); - - ZERO_STRUCT(req->in); - - req->in.buffer = talloc_steal(req, blob.data); - req->in.size = blob.length; - req->request_time = cur_time; - - smbsrv_reply_special(req); - return NT_STATUS_OK; - } - - if ((NBT_HDR_SIZE + MIN_SMB_SIZE) > blob.length) { - DEBUG(2,("Invalid SMB packet: length %ld\n", (long)blob.length)); - smbsrv_terminate_connection(smb_conn, "Invalid SMB packet"); - return NT_STATUS_OK; - } - - /* Make sure this is an SMB packet */ - if (IVAL(blob.data, NBT_HDR_SIZE) != SMB_MAGIC) { - DEBUG(2,("Non-SMB packet of length %ld. Terminating connection\n", - (long)blob.length)); - smbsrv_terminate_connection(smb_conn, "Non-SMB packet"); - return NT_STATUS_OK; - } - - req = smbsrv_init_request(smb_conn); - NT_STATUS_HAVE_NO_MEMORY(req); - - req->in.buffer = talloc_steal(req, blob.data); - req->in.size = blob.length; - req->request_time = cur_time; - req->chained_fnum = -1; - req->in.allocated = req->in.size; - req->in.hdr = req->in.buffer + NBT_HDR_SIZE; - req->in.vwv = req->in.hdr + HDR_VWV; - req->in.wct = CVAL(req->in.hdr, HDR_WCT); - if (req->in.vwv + VWV(req->in.wct) <= req->in.buffer + req->in.size) { - req->in.data = req->in.vwv + VWV(req->in.wct) + 2; - req->in.data_size = SVAL(req->in.vwv, VWV(req->in.wct)); - - /* the bcc length is only 16 bits, but some packets - (such as SMBwriteX) can be much larger than 64k. We - detect this by looking for a large non-chained NBT - packet (at least 64k bigger than what is - specified). If it is detected then the NBT size is - used instead of the bcc size */ - if (req->in.data_size + 0x10000 <= - req->in.size - PTR_DIFF(req->in.data, req->in.buffer) && - (req->in.wct < 1 || SVAL(req->in.vwv, VWV(0)) == SMB_CHAIN_NONE)) { - /* its an oversized packet! fun for all the family */ - req->in.data_size = req->in.size - PTR_DIFF(req->in.data,req->in.buffer); - } - } - - if (NBT_HDR_SIZE + MIN_SMB_SIZE + 2*req->in.wct > req->in.size) { - DEBUG(2,("Invalid SMB word count %d\n", req->in.wct)); - smbsrv_terminate_connection(req->smb_conn, "Invalid SMB packet"); - return NT_STATUS_OK; - } - - if (NBT_HDR_SIZE + MIN_SMB_SIZE + 2*req->in.wct + req->in.data_size > req->in.size) { - DEBUG(2,("Invalid SMB buffer length count %d\n", - (int)req->in.data_size)); - smbsrv_terminate_connection(req->smb_conn, "Invalid SMB packet"); - return NT_STATUS_OK; - } - - req->flags2 = SVAL(req->in.hdr, HDR_FLG2); - - /* fix the bufinfo */ - smbsrv_setup_bufinfo(req); - - if (!smbsrv_signing_check_incoming(req)) { - smbsrv_send_error(req, NT_STATUS_ACCESS_DENIED); - return NT_STATUS_OK; - } - - command = CVAL(req->in.hdr, HDR_COM); - switch_message(command, req); - return NT_STATUS_OK; -} - /* These flags determine some of the permissions required to do an operation */ @@ -441,6 +342,105 @@ static const struct smb_message_struct /* 0xff */ { NULL, NULL, 0 } }; +/**************************************************************************** +receive a SMB request header from the wire, forming a request_context +from the result +****************************************************************************/ +NTSTATUS smbsrv_recv_smb_request(void *private, DATA_BLOB blob) +{ + struct smbsrv_connection *smb_conn = talloc_get_type(private, struct smbsrv_connection); + struct smbsrv_request *req; + struct timeval cur_time = timeval_current(); + uint8_t command; + + smb_conn->statistics.last_request_time = cur_time; + + /* see if its a special NBT packet */ + if (CVAL(blob.data, 0) != 0) { + req = smbsrv_init_request(smb_conn); + NT_STATUS_HAVE_NO_MEMORY(req); + + ZERO_STRUCT(req->in); + + req->in.buffer = talloc_steal(req, blob.data); + req->in.size = blob.length; + req->request_time = cur_time; + + smbsrv_reply_special(req); + return NT_STATUS_OK; + } + + if ((NBT_HDR_SIZE + MIN_SMB_SIZE) > blob.length) { + DEBUG(2,("Invalid SMB packet: length %ld\n", (long)blob.length)); + smbsrv_terminate_connection(smb_conn, "Invalid SMB packet"); + return NT_STATUS_OK; + } + + /* Make sure this is an SMB packet */ + if (IVAL(blob.data, NBT_HDR_SIZE) != SMB_MAGIC) { + DEBUG(2,("Non-SMB packet of length %ld. Terminating connection\n", + (long)blob.length)); + smbsrv_terminate_connection(smb_conn, "Non-SMB packet"); + return NT_STATUS_OK; + } + + req = smbsrv_init_request(smb_conn); + NT_STATUS_HAVE_NO_MEMORY(req); + + req->in.buffer = talloc_steal(req, blob.data); + req->in.size = blob.length; + req->request_time = cur_time; + req->chained_fnum = -1; + req->in.allocated = req->in.size; + req->in.hdr = req->in.buffer + NBT_HDR_SIZE; + req->in.vwv = req->in.hdr + HDR_VWV; + req->in.wct = CVAL(req->in.hdr, HDR_WCT); + if (req->in.vwv + VWV(req->in.wct) <= req->in.buffer + req->in.size) { + req->in.data = req->in.vwv + VWV(req->in.wct) + 2; + req->in.data_size = SVAL(req->in.vwv, VWV(req->in.wct)); + + /* the bcc length is only 16 bits, but some packets + (such as SMBwriteX) can be much larger than 64k. We + detect this by looking for a large non-chained NBT + packet (at least 64k bigger than what is + specified). If it is detected then the NBT size is + used instead of the bcc size */ + if (req->in.data_size + 0x10000 <= + req->in.size - PTR_DIFF(req->in.data, req->in.buffer) && + (req->in.wct < 1 || SVAL(req->in.vwv, VWV(0)) == SMB_CHAIN_NONE)) { + /* its an oversized packet! fun for all the family */ + req->in.data_size = req->in.size - PTR_DIFF(req->in.data,req->in.buffer); + } + } + + if (NBT_HDR_SIZE + MIN_SMB_SIZE + 2*req->in.wct > req->in.size) { + DEBUG(2,("Invalid SMB word count %d\n", req->in.wct)); + smbsrv_terminate_connection(req->smb_conn, "Invalid SMB packet"); + return NT_STATUS_OK; + } + + if (NBT_HDR_SIZE + MIN_SMB_SIZE + 2*req->in.wct + req->in.data_size > req->in.size) { + DEBUG(2,("Invalid SMB buffer length count %d\n", + (int)req->in.data_size)); + smbsrv_terminate_connection(req->smb_conn, "Invalid SMB packet"); + return NT_STATUS_OK; + } + + req->flags2 = SVAL(req->in.hdr, HDR_FLG2); + + /* fix the bufinfo */ + smbsrv_setup_bufinfo(req); + + if (!smbsrv_signing_check_incoming(req)) { + smbsrv_send_error(req, NT_STATUS_ACCESS_DENIED); + return NT_STATUS_OK; + } + + command = CVAL(req->in.hdr, HDR_COM); + switch_message(command, req); + return NT_STATUS_OK; +} + /**************************************************************************** return a string containing the function name of a SMB command ****************************************************************************/ -- cgit From b3f974076424415014ea9bd52edcd32618e4bfb2 Mon Sep 17 00:00:00 2001 From: Amin Azez Date: Mon, 10 Mar 2008 10:06:12 +0000 Subject: Flag smb messages array with AND_X and LARGE_REQUEST If smb_messages flags show for which opcodes VWV(0) signifies chaining modes, and also which opcodes can have requests >64K then the bcc / req->in.data_size fixup in smbsrv_recv_smb_request can be more safely applied. This fix permits nttrans requests >64K to be handled. It is not yet clear if THAT is a good thing, but this fix does the current thing more nicely. (This used to be commit 8e4f16e975e192709f398c98650cbe9fe2a76261) --- source4/smb_server/smb/receive.c | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-) (limited to 'source4/smb_server') diff --git a/source4/smb_server/smb/receive.c b/source4/smb_server/smb/receive.c index b11682d158..6cf33cf7c3 100644 --- a/source4/smb_server/smb/receive.c +++ b/source4/smb_server/smb/receive.c @@ -71,6 +71,10 @@ static void switch_message(int type, struct smbsrv_request *req); #define NEED_SESS (1<<0) #define NEED_TCON (1<<1) #define SIGNING_NO_REPLY (1<<2) +/* does VWV(0) of the request hold chaining information */ +#define AND_X (1<<3) +/* The 64Kb question: are requests > 64K valid? */ +#define LARGE_REQUEST (1<<4) /* define a list of possible SMB messages and their corresponding @@ -81,6 +85,7 @@ static const struct smb_message_struct { const char *name; void (*fn)(struct smbsrv_request *); +#define message_flags(type) smb_messages[(type) & 0xff].flags int flags; } smb_messages[256] = { @@ -120,7 +125,7 @@ static const struct smb_message_struct /* 0x21 */ { NULL, NULL, 0 }, /* 0x22 */ { "SMBsetattrE", smbsrv_reply_setattrE, NEED_SESS|NEED_TCON }, /* 0x23 */ { "SMBgetattrE", smbsrv_reply_getattrE, NEED_SESS|NEED_TCON }, -/* 0x24 */ { "SMBlockingX", smbsrv_reply_lockingX, NEED_SESS|NEED_TCON }, +/* 0x24 */ { "SMBlockingX", smbsrv_reply_lockingX, NEED_SESS|NEED_TCON|AND_X }, /* 0x25 */ { "SMBtrans", smbsrv_reply_trans, NEED_SESS|NEED_TCON }, /* 0x26 */ { "SMBtranss", smbsrv_reply_transs, NEED_SESS|NEED_TCON }, /* 0x27 */ { "SMBioctl", smbsrv_reply_ioctl, NEED_SESS|NEED_TCON }, @@ -129,9 +134,9 @@ static const struct smb_message_struct /* 0x2a */ { "SMBmove", NULL, NEED_SESS|NEED_TCON }, /* 0x2b */ { "SMBecho", smbsrv_reply_echo, 0 }, /* 0x2c */ { "SMBwriteclose", smbsrv_reply_writeclose, NEED_SESS|NEED_TCON }, -/* 0x2d */ { "SMBopenX", smbsrv_reply_open_and_X, NEED_SESS|NEED_TCON }, -/* 0x2e */ { "SMBreadX", smbsrv_reply_read_and_X, NEED_SESS|NEED_TCON }, -/* 0x2f */ { "SMBwriteX", smbsrv_reply_write_and_X, NEED_SESS|NEED_TCON}, +/* 0x2d */ { "SMBopenX", smbsrv_reply_open_and_X, NEED_SESS|NEED_TCON|AND_X }, +/* 0x2e */ { "SMBreadX", smbsrv_reply_read_and_X, NEED_SESS|NEED_TCON|AND_X }, +/* 0x2f */ { "SMBwriteX", smbsrv_reply_write_and_X, NEED_SESS|NEED_TCON|AND_X|LARGE_REQUEST}, /* 0x30 */ { NULL, NULL, 0 }, /* 0x31 */ { NULL, NULL, 0 }, /* 0x32 */ { "SMBtrans2", smbsrv_reply_trans2, NEED_SESS|NEED_TCON }, @@ -199,9 +204,9 @@ static const struct smb_message_struct /* 0x70 */ { "SMBtcon", smbsrv_reply_tcon, NEED_SESS }, /* 0x71 */ { "SMBtdis", smbsrv_reply_tdis, NEED_TCON }, /* 0x72 */ { "SMBnegprot", smbsrv_reply_negprot, 0 }, -/* 0x73 */ { "SMBsesssetupX", smbsrv_reply_sesssetup, 0 }, -/* 0x74 */ { "SMBulogoffX", smbsrv_reply_ulogoffX, NEED_SESS }, /* ulogoff doesn't give a valid TID */ -/* 0x75 */ { "SMBtconX", smbsrv_reply_tcon_and_X, NEED_SESS }, +/* 0x73 */ { "SMBsesssetupX", smbsrv_reply_sesssetup, AND_X }, +/* 0x74 */ { "SMBulogoffX", smbsrv_reply_ulogoffX, NEED_SESS|AND_X }, /* ulogoff doesn't give a valid TID */ +/* 0x75 */ { "SMBtconX", smbsrv_reply_tcon_and_X, NEED_SESS|AND_X }, /* 0x76 */ { NULL, NULL, 0 }, /* 0x77 */ { NULL, NULL, 0 }, /* 0x78 */ { NULL, NULL, 0 }, @@ -244,9 +249,9 @@ static const struct smb_message_struct /* 0x9d */ { NULL, NULL, 0 }, /* 0x9e */ { NULL, NULL, 0 }, /* 0x9f */ { NULL, NULL, 0 }, -/* 0xa0 */ { "SMBnttrans", smbsrv_reply_nttrans, NEED_SESS|NEED_TCON }, +/* 0xa0 */ { "SMBnttrans", smbsrv_reply_nttrans, NEED_SESS|NEED_TCON|LARGE_REQUEST }, /* 0xa1 */ { "SMBnttranss", smbsrv_reply_nttranss, NEED_SESS|NEED_TCON }, -/* 0xa2 */ { "SMBntcreateX", smbsrv_reply_ntcreate_and_X, NEED_SESS|NEED_TCON }, +/* 0xa2 */ { "SMBntcreateX", smbsrv_reply_ntcreate_and_X, NEED_SESS|NEED_TCON|AND_X }, /* 0xa3 */ { NULL, NULL, 0 }, /* 0xa4 */ { "SMBntcancel", smbsrv_reply_ntcancel, NEED_SESS|NEED_TCON|SIGNING_NO_REPLY }, /* 0xa5 */ { "SMBntrename", smbsrv_reply_ntrename, NEED_SESS|NEED_TCON }, @@ -395,6 +400,9 @@ NTSTATUS smbsrv_recv_smb_request(void *private, DATA_BLOB blob) req->in.hdr = req->in.buffer + NBT_HDR_SIZE; req->in.vwv = req->in.hdr + HDR_VWV; req->in.wct = CVAL(req->in.hdr, HDR_WCT); + + command = CVAL(req->in.hdr, HDR_COM); + if (req->in.vwv + VWV(req->in.wct) <= req->in.buffer + req->in.size) { req->in.data = req->in.vwv + VWV(req->in.wct) + 2; req->in.data_size = SVAL(req->in.vwv, VWV(req->in.wct)); @@ -407,7 +415,10 @@ NTSTATUS smbsrv_recv_smb_request(void *private, DATA_BLOB blob) used instead of the bcc size */ if (req->in.data_size + 0x10000 <= req->in.size - PTR_DIFF(req->in.data, req->in.buffer) && - (req->in.wct < 1 || SVAL(req->in.vwv, VWV(0)) == SMB_CHAIN_NONE)) { + ( message_flags(command) & LARGE_REQUEST) && + ( !(message_flags(command) & AND_X) || + (req->in.wct < 1 || SVAL(req->in.vwv, VWV(0)) == SMB_CHAIN_NONE) ) + ) { /* its an oversized packet! fun for all the family */ req->in.data_size = req->in.size - PTR_DIFF(req->in.data,req->in.buffer); } -- cgit From 8b5f03a225b7e3ab478f5de22e7a84e78c909741 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 18 Apr 2008 22:30:12 +0200 Subject: smb_server/smb2: handle incoming oplock releases metze (This used to be commit 2306394dcc22ff2be8581256a5cf91eef4993078) --- source4/smb_server/smb2/fileio.c | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) (limited to 'source4/smb_server') diff --git a/source4/smb_server/smb2/fileio.c b/source4/smb_server/smb2/fileio.c index af1a413009..b6b35d3d89 100644 --- a/source4/smb_server/smb2/fileio.c +++ b/source4/smb_server/smb2/fileio.c @@ -410,7 +410,36 @@ void smb2srv_notify_recv(struct smb2srv_request *req) SMB2SRV_CALL_NTVFS_BACKEND(ntvfs_notify(req->ntvfs, io)); } +static void smb2srv_break_send(struct ntvfs_request *ntvfs) +{ + struct smb2srv_request *req; + union smb_lock *io; + + SMB2SRV_CHECK_ASYNC_STATUS_ERR(io, union smb_lock); + SMB2SRV_CHECK(smb2srv_setup_reply(req, 0x18, false, 0)); + + SCVAL(req->out.body, 0x02, io->smb2_break.out.oplock_level); + SCVAL(req->out.body, 0x03, io->smb2_break.out.reserved); + SIVAL(req->out.body, 0x04, io->smb2_break.out.reserved2); + smb2srv_push_handle(req->out.body, 0x08,io->smb2_break.out.file.ntvfs); + + smb2srv_send_reply(req); +} + void smb2srv_break_recv(struct smb2srv_request *req) { - smb2srv_send_error(req, NT_STATUS_NOT_IMPLEMENTED); + union smb_lock *io; + + SMB2SRV_CHECK_BODY_SIZE(req, 0x18, false); + SMB2SRV_TALLOC_IO_PTR(io, union smb_lock); + SMB2SRV_SETUP_NTVFS_REQUEST(smb2srv_break_send, NTVFS_ASYNC_STATE_MAY_ASYNC); + + io->smb2_break.level = RAW_LOCK_SMB2_BREAK; + io->smb2_break.in.oplock_level = CVAL(req->in.body, 0x02); + io->smb2_break.in.reserved = CVAL(req->in.body, 0x03); + io->smb2_break.in.reserved2 = IVAL(req->in.body, 0x04); + io->smb2_break.in.file.ntvfs = smb2srv_pull_handle(req, req->in.body, 0x08); + + SMB2SRV_CHECK_FILE_HANDLE(io->smb2_break.in.file.ntvfs); + SMB2SRV_CALL_NTVFS_BACKEND(ntvfs_lock(req->ntvfs, io)); } -- cgit