mirror of
https://github.com/samba-team/samba.git
synced 2025-01-10 01:18:15 +03:00
libcli/smb: allow unexpected padding in SMB2 READ responses
Make use of smb2cli_parse_dyn_buffer() in smb2cli_read_done()
as it was exactly introduced for a similar problem see:
commit 4c6c71e137
Author: Stefan Metzmacher <metze@samba.org>
AuthorDate: Thu Jan 14 17:32:15 2021 +0100
Commit: Volker Lendecke <vl@samba.org>
CommitDate: Fri Jan 15 08:36:34 2021 +0000
libcli/smb: allow unexpected padding in SMB2 IOCTL responses
A NetApp Ontap 7.3.7 SMB server add 8 padding bytes to an
offset that's already 8 byte aligned.
RN: Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607
Pair-Programmed-With: Volker Lendecke <vl@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Jan 15 08:36:34 UTC 2021 on sn-devel-184
RN: Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jul 15 23:53:55 UTC 2021 on sn-devel-184
This commit is contained in:
parent
1faf15b3d0
commit
155348cda6
@ -90,8 +90,13 @@ static void smb2cli_read_done(struct tevent_req *subreq)
|
||||
tevent_req_data(req,
|
||||
struct smb2cli_read_state);
|
||||
NTSTATUS status;
|
||||
NTSTATUS error;
|
||||
struct iovec *iov;
|
||||
const uint8_t dyn_ofs = SMB2_HDR_BODY + 0x10;
|
||||
DATA_BLOB dyn_buffer = data_blob_null;
|
||||
uint8_t data_offset;
|
||||
DATA_BLOB data_buffer = data_blob_null;
|
||||
uint32_t next_offset = 0; /* this variable is completely ignored */
|
||||
static const struct smb2cli_req_expected_response expected[] = {
|
||||
{
|
||||
.status = STATUS_BUFFER_OVERFLOW,
|
||||
@ -117,14 +122,23 @@ static void smb2cli_read_done(struct tevent_req *subreq)
|
||||
data_offset = CVAL(iov[1].iov_base, 2);
|
||||
state->data_length = IVAL(iov[1].iov_base, 4);
|
||||
|
||||
if ((data_offset != SMB2_HDR_BODY + 16) ||
|
||||
(state->data_length > iov[2].iov_len)) {
|
||||
tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
|
||||
dyn_buffer = data_blob_const((uint8_t *)iov[2].iov_base,
|
||||
iov[2].iov_len);
|
||||
|
||||
error = smb2cli_parse_dyn_buffer(dyn_ofs,
|
||||
dyn_buffer,
|
||||
dyn_ofs, /* min_offset */
|
||||
data_offset,
|
||||
state->data_length,
|
||||
dyn_buffer.length, /* max_length */
|
||||
&next_offset,
|
||||
&data_buffer);
|
||||
if (tevent_req_nterror(req, error)) {
|
||||
return;
|
||||
}
|
||||
|
||||
state->recv_iov = iov;
|
||||
state->data = (uint8_t *)iov[2].iov_base;
|
||||
state->data = data_buffer.data;
|
||||
|
||||
state->out_valid = true;
|
||||
|
||||
|
@ -1 +0,0 @@
|
||||
samba3.smb2.read.bug14607
|
Loading…
Reference in New Issue
Block a user