From 155348cda65b441a6c4db1ed84dbf1682d02973c Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 29 Jun 2021 15:42:56 +0200 Subject: [PATCH] libcli/smb: allow unexpected padding in SMB2 READ responses Make use of smb2cli_parse_dyn_buffer() in smb2cli_read_done() as it was exactly introduced for a similar problem see: commit 4c6c71e1378401d66bf2ed230544a75f7b04376f Author: Stefan Metzmacher AuthorDate: Thu Jan 14 17:32:15 2021 +0100 Commit: Volker Lendecke CommitDate: Fri Jan 15 08:36:34 2021 +0000 libcli/smb: allow unexpected padding in SMB2 IOCTL responses A NetApp Ontap 7.3.7 SMB server add 8 padding bytes to an offset that's already 8 byte aligned. RN: Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607 Pair-Programmed-With: Volker Lendecke Signed-off-by: Stefan Metzmacher Signed-off-by: Volker Lendecke Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Fri Jan 15 08:36:34 UTC 2021 on sn-devel-184 RN: Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Thu Jul 15 23:53:55 UTC 2021 on sn-devel-184 --- libcli/smb/smb2cli_read.c | 22 ++++++++++++++++++---- selftest/knownfail.d/smb2-read-bug14607 | 1 - 2 files changed, 18 insertions(+), 5 deletions(-) delete mode 100644 selftest/knownfail.d/smb2-read-bug14607 diff --git a/libcli/smb/smb2cli_read.c b/libcli/smb/smb2cli_read.c index 8110b65d432..c7f48741b87 100644 --- a/libcli/smb/smb2cli_read.c +++ b/libcli/smb/smb2cli_read.c @@ -90,8 +90,13 @@ static void smb2cli_read_done(struct tevent_req *subreq) tevent_req_data(req, struct smb2cli_read_state); NTSTATUS status; + NTSTATUS error; struct iovec *iov; + const uint8_t dyn_ofs = SMB2_HDR_BODY + 0x10; + DATA_BLOB dyn_buffer = data_blob_null; uint8_t data_offset; + DATA_BLOB data_buffer = data_blob_null; + uint32_t next_offset = 0; /* this variable is completely ignored */ static const struct smb2cli_req_expected_response expected[] = { { .status = STATUS_BUFFER_OVERFLOW, @@ -117,14 +122,23 @@ static void smb2cli_read_done(struct tevent_req *subreq) data_offset = CVAL(iov[1].iov_base, 2); state->data_length = IVAL(iov[1].iov_base, 4); - if ((data_offset != SMB2_HDR_BODY + 16) || - (state->data_length > iov[2].iov_len)) { - tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + dyn_buffer = data_blob_const((uint8_t *)iov[2].iov_base, + iov[2].iov_len); + + error = smb2cli_parse_dyn_buffer(dyn_ofs, + dyn_buffer, + dyn_ofs, /* min_offset */ + data_offset, + state->data_length, + dyn_buffer.length, /* max_length */ + &next_offset, + &data_buffer); + if (tevent_req_nterror(req, error)) { return; } state->recv_iov = iov; - state->data = (uint8_t *)iov[2].iov_base; + state->data = data_buffer.data; state->out_valid = true; diff --git a/selftest/knownfail.d/smb2-read-bug14607 b/selftest/knownfail.d/smb2-read-bug14607 deleted file mode 100644 index 05b8adfa8cd..00000000000 --- a/selftest/knownfail.d/smb2-read-bug14607 +++ /dev/null @@ -1 +0,0 @@ -samba3.smb2.read.bug14607