1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-25 06:04:04 +03:00
samba-mirror/libcli/smb/smb1cli_read.c
Stefan Metzmacher 0e8d33fb5f libcli/smb: correctly handle STATUS_BUFFER_OVERFLOW in smb1cli_readx*
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11623

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-12-01 00:38:23 +01:00

242 lines
6.9 KiB
C

/*
Unix SMB/CIFS implementation.
Copyright (C) Gregor Beck 2013
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "system/network.h"
#include "lib/util/tevent_ntstatus.h"
#include "smb_common.h"
#include "smbXcli_base.h"
struct smb1cli_readx_state {
uint32_t size;
uint16_t vwv[12];
uint32_t received;
uint8_t *buf;
bool out_valid;
};
static void smb1cli_readx_done(struct tevent_req *subreq);
/**
* Send an asynchrounus SMB_COM_READ_ANDX request.
* <a href="http://msdn.microsoft.com/en-us/library/ee441839.aspx">MS-CIFS 2.2.4.42.1</a>,
* <a href="http://msdn.microsoft.com/en-us/library/ff470250.aspx">MS-SMB 2.2.4.2.1</a>
* @see smb1cli_readx_recv()
* @todo fix API (min/max size, timeout)
*
* @param[in] mem_ctx The memory context for the result.
* @param[in] ev The event context to work on.
* @param[in] conn The smb connection.
* @param[in] timeout_msec If positiv a timeout for the request.
* @param[in] pid The process identifier
* @param[in] tcon The smb tree connect.
* @param[in] session The smb session.
* @param[in] fnum The file id of the file the data should be read from.
* @param[in] offset The offset in bytes from the begin of file where to start reading.
* @param[in] size The number of bytes to read.
*
* @return a tevent_req or NULL
*/
struct tevent_req *smb1cli_readx_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct smbXcli_conn *conn,
uint32_t timeout_msec,
uint32_t pid,
struct smbXcli_tcon *tcon,
struct smbXcli_session *session,
uint16_t fnum,
uint64_t offset,
uint32_t size)
{
NTSTATUS status;
struct tevent_req *req, *subreq;
struct smb1cli_readx_state *state;
uint8_t wct = 10;
req = tevent_req_create(mem_ctx, &state, struct smb1cli_readx_state);
if (req == NULL) {
return NULL;
}
state->size = size;
SCVAL(state->vwv + 0, 0, 0xFF);
SCVAL(state->vwv + 0, 1, 0);
SSVAL(state->vwv + 1, 0, 0);
SSVAL(state->vwv + 2, 0, fnum);
SIVAL(state->vwv + 3, 0, offset);
SSVAL(state->vwv + 5, 0, size);
SSVAL(state->vwv + 6, 0, size);
SSVAL(state->vwv + 7, 0, (size >> 16));
SSVAL(state->vwv + 8, 0, 0);
SSVAL(state->vwv + 9, 0, 0);
if (smb1cli_conn_capabilities(conn) & CAP_LARGE_FILES) {
SIVAL(state->vwv + 10, 0,
(((uint64_t)offset)>>32) & 0xffffffff);
wct = 12;
} else {
if ((((uint64_t)offset) & 0xffffffff00000000LL) != 0) {
DEBUG(10, ("smb1cli_readx_send got large offset where "
"the server does not support it\n"));
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
return tevent_req_post(req, ev);
}
}
subreq = smb1cli_req_create(state, ev, conn, SMBreadX,
0, 0, /* *_flags */
0, 0, /* *_flags2 */
timeout_msec, pid, tcon, session,
wct, state->vwv,
0, NULL);
if (tevent_req_nomem(subreq, req)) {
return tevent_req_post(req, ev);
}
tevent_req_set_callback(subreq, smb1cli_readx_done, req);
status = smb1cli_req_chain_submit(&subreq, 1);
if (tevent_req_nterror(req, status)) {
return tevent_req_post(req, ev);
}
return req;
}
static void smb1cli_readx_done(struct tevent_req *subreq)
{
struct tevent_req *req = tevent_req_callback_data(
subreq, struct tevent_req);
struct smb1cli_readx_state *state = tevent_req_data(
req, struct smb1cli_readx_state);
struct iovec *recv_iov = NULL;
uint8_t wct;
uint16_t *vwv;
uint32_t num_bytes;
uint8_t *bytes;
uint16_t data_offset;
uint32_t bytes_offset;
NTSTATUS status;
static const struct smb1cli_req_expected_response expected[] = {
{
.status = NT_STATUS_OK,
.wct = 0x0C
},
{
.status = STATUS_BUFFER_OVERFLOW,
.wct = 0x0C
},
};
status = smb1cli_req_recv(subreq, state,
&recv_iov,
NULL, /* phdr */
&wct,
&vwv,
NULL, /* pvwv_offset */
&num_bytes,
&bytes,
&bytes_offset,
NULL, /* inbuf */
expected, ARRAY_SIZE(expected));
TALLOC_FREE(subreq);
if (NT_STATUS_EQUAL(status, STATUS_BUFFER_OVERFLOW)) {
/* no error */
} else {
if (tevent_req_nterror(req, status)) {
return;
}
}
/* size is the number of bytes the server returned.
* Might be zero. */
state->received = SVAL(vwv + 5, 0);
state->received |= (((unsigned int)SVAL(vwv + 7, 0)) << 16);
if (state->received > state->size) {
DEBUG(5,("server returned more than we wanted!\n"));
tevent_req_nterror(req, NT_STATUS_UNEXPECTED_IO_ERROR);
return;
}
/*
* bcc field must be valid for small reads, for large reads the 16-bit
* bcc field can't be correct.
*/
if ((state->received < 0xffff) && (state->received > num_bytes)) {
DEBUG(5, ("server announced more bytes than sent\n"));
tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
return;
}
data_offset = SVAL(vwv+6, 0);
if (data_offset < bytes_offset) {
DEBUG(5, ("server returned invalid read&x data offset\n"));
tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
return;
}
if (smb_buffer_oob(num_bytes, data_offset - bytes_offset, state->received)) {
DEBUG(5, ("server returned invalid read&x data offset\n"));
tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
return;
}
state->buf = bytes + (data_offset - bytes_offset);
state->out_valid = true;
if (tevent_req_nterror(req, status)) {
return;
}
tevent_req_done(req);
}
/**
* Receive the response to an asynchronous SMB_COM_READ_ANDX request.
* <a href="http://msdn.microsoft.com/en-us/library/ee441872.aspx">MS-CIFS 2.2.4.42.2</a>,
* <a href="http://msdn.microsoft.com/en-us/library/ff470017.aspx">MS-SMB 2.2.4.2.2</a>
*
* @warning rcvbuf is talloced from the request, so better make sure that you
* copy it away before you talloc_free(req). rcvbuf is NOT a talloc_ctx of its
* own, so do not talloc_move it!
*
* @param[in] req A tevent request created with smb1cli_readx_send()
* @param[out] received The number of bytes received.
* @param[out] rcvbuf Pointer to the bytes received.
*
* @return NT_STATUS_OK or STATUS_BUFFER_OVERFLOW on succsess.
*/
NTSTATUS smb1cli_readx_recv(struct tevent_req *req,
uint32_t *received,
uint8_t **rcvbuf)
{
struct smb1cli_readx_state *state = tevent_req_data(
req, struct smb1cli_readx_state);
NTSTATUS status = NT_STATUS_OK;
if (tevent_req_is_nterror(req, &status) && !state->out_valid) {
*received = 0;
*rcvbuf = NULL;
return status;
}
*received = state->received;
*rcvbuf = state->buf;
return status;
}