mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
libcli/smb: allow unexpected padding in SMB2 READ responses
Make use of smb2cli_parse_dyn_buffer() in smb2cli_read_done() as it was exactly introduced for a similar problem see: commit4c6c71e137
Author: Stefan Metzmacher <metze@samba.org> AuthorDate: Thu Jan 14 17:32:15 2021 +0100 Commit: Volker Lendecke <vl@samba.org> CommitDate: Fri Jan 15 08:36:34 2021 +0000 libcli/smb: allow unexpected padding in SMB2 IOCTL responses A NetApp Ontap 7.3.7 SMB server add 8 padding bytes to an offset that's already 8 byte aligned. RN: Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607 Pair-Programmed-With: Volker Lendecke <vl@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Fri Jan 15 08:36:34 UTC 2021 on sn-devel-184 RN: Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Jul 15 23:53:55 UTC 2021 on sn-devel-184 (cherry picked from commit155348cda6
) Autobuild-User(v4-14-test): Jule Anger <janger@samba.org> Autobuild-Date(v4-14-test): Thu Aug 12 09:39:40 UTC 2021 on sn-devel-184
This commit is contained in:
parent
a095a2d960
commit
25f3cb8c97
@ -90,8 +90,13 @@ static void smb2cli_read_done(struct tevent_req *subreq)
|
||||
tevent_req_data(req,
|
||||
struct smb2cli_read_state);
|
||||
NTSTATUS status;
|
||||
NTSTATUS error;
|
||||
struct iovec *iov;
|
||||
const uint8_t dyn_ofs = SMB2_HDR_BODY + 0x10;
|
||||
DATA_BLOB dyn_buffer = data_blob_null;
|
||||
uint8_t data_offset;
|
||||
DATA_BLOB data_buffer = data_blob_null;
|
||||
uint32_t next_offset = 0; /* this variable is completely ignored */
|
||||
static const struct smb2cli_req_expected_response expected[] = {
|
||||
{
|
||||
.status = STATUS_BUFFER_OVERFLOW,
|
||||
@ -117,14 +122,23 @@ static void smb2cli_read_done(struct tevent_req *subreq)
|
||||
data_offset = CVAL(iov[1].iov_base, 2);
|
||||
state->data_length = IVAL(iov[1].iov_base, 4);
|
||||
|
||||
if ((data_offset != SMB2_HDR_BODY + 16) ||
|
||||
(state->data_length > iov[2].iov_len)) {
|
||||
tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
|
||||
dyn_buffer = data_blob_const((uint8_t *)iov[2].iov_base,
|
||||
iov[2].iov_len);
|
||||
|
||||
error = smb2cli_parse_dyn_buffer(dyn_ofs,
|
||||
dyn_buffer,
|
||||
dyn_ofs, /* min_offset */
|
||||
data_offset,
|
||||
state->data_length,
|
||||
dyn_buffer.length, /* max_length */
|
||||
&next_offset,
|
||||
&data_buffer);
|
||||
if (tevent_req_nterror(req, error)) {
|
||||
return;
|
||||
}
|
||||
|
||||
state->recv_iov = iov;
|
||||
state->data = (uint8_t *)iov[2].iov_base;
|
||||
state->data = data_buffer.data;
|
||||
|
||||
state->out_valid = true;
|
||||
|
||||
|
@ -1 +0,0 @@
|
||||
samba3.smb2.read.bug14607
|
Loading…
Reference in New Issue
Block a user