diff options
| author | Jeremy Allison <jra@samba.org> | 2020-06-30 14:00:41 -0700 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2020-07-06 13:57:23 +0000 |
| commit | 671e06eb4965840c05fb98a18623c78df096ac39 (patch) | |
| tree | 014b08a7dbcafa7a548a53588cd0dd71f40e82eb | |
| parent | 7d407fa84ae53605db801ec6488641d0622686e5 (diff) | |
| download | samba-671e06eb4965840c05fb98a18623c78df096ac39.tar.gz | |
s3: libsmb: Fix SMB2 client rename bug to a Windows server.
Fix bug where renaming to a target name of one
UCS2 character (name length 2 bytes) fails to
a Windows 10 SMB2 server.
The Windows 10 SMB2 server has a minimum length
for a SMB2_FILE_RENAME_INFORMATION buffer of
24 bytes. It returns NT_STATUS_INFO_LENGTH_MISMATCH
if the length is less. This isn't an alignment
issue as Windows client happily 2-byte align
for larget target name sizes. Also the Windows 10
SMB1 server doesn't have this restriction.
If the name length is too short, pad out with
zeros to 24 bytes.
Hard to add a test for this as we don't want to
add this silly restriction to the Samba server
as it would break all non-Windows clients.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14403
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jul 1 18:59:53 UTC 2020 on sn-devel-184
(cherry picked from commit f59490dc2d07107d32d6e888f2814011ab2845b7)
| -rw-r--r-- | source3/libsmb/cli_smb2_fnum.c | 26 |
1 files changed, 24 insertions, 2 deletions
diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c index 0d79cf693da..a5dc9573f22 100644 --- a/source3/libsmb/cli_smb2_fnum.c +++ b/source3/libsmb/cli_smb2_fnum.c @@ -3251,6 +3251,7 @@ NTSTATUS cli_smb2_rename(struct cli_state *cli, smb_ucs2_t *converted_str = NULL; size_t converted_size_bytes = 0; size_t namelen = 0; + size_t inbuf_size; TALLOC_CTX *frame = talloc_stackframe(); if (smbXcli_conn_has_async_calls(cli->conn)) { @@ -3308,8 +3309,29 @@ NTSTATUS cli_smb2_rename(struct cli_state *cli, } converted_size_bytes -= 2; - inbuf = data_blob_talloc_zero(frame, - 20 + converted_size_bytes); + inbuf_size = 20 + converted_size_bytes; + if (inbuf_size < 20) { + /* Integer wrap check. */ + status = NT_STATUS_INVALID_PARAMETER; + goto fail; + } + + /* + * The Windows 10 SMB2 server has a minimum length + * for a SMB2_FILE_RENAME_INFORMATION buffer of + * 24 bytes. It returns NT_STATUS_INFO_LENGTH_MISMATCH + * if the length is less. This isn't an alignment + * issue as Windows client happily 2-byte align + * for larget target name sizes. Also the Windows 10 + * SMB1 server doesn't have this restriction. + * + * BUG: https://bugzilla.samba.org/show_bug.cgi?id=14403 + */ + if (inbuf_size < 24) { + inbuf_size = 24; + } + + inbuf = data_blob_talloc_zero(frame, inbuf_size); if (inbuf.data == NULL) { status = NT_STATUS_NO_MEMORY; goto fail; |