diff options
| author | Stefan Metzmacher <metze@samba.org> | 2013-10-28 15:43:03 +0100 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2013-11-06 12:33:27 +0100 |
| commit | 8db5eccaf25ae3d6c047ad642370ed154b0fddc7 (patch) | |
| tree | 581fa6cf6a7981fdeb52e01c432ccd3149fc3610 /libcli/smb | |
| parent | 67840df91d7370bd5c642635aa7731ccb343fd7b (diff) | |
| download | samba-8db5eccaf25ae3d6c047ad642370ed154b0fddc7.tar.gz | |
libcli/smb: fix smb2cli_ioctl*() against Windows 2008.
The subsections of [MS-SMB2] "3.2.5.14 Receiving an SMB2 IOCTL Response"
say the client should ignore the InputOffset/InputCount.
We do that only if we ask for max_input_length = 0.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10232
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Oct 31 01:16:10 CET 2013 on sn-devel-104
(cherry picked from commit 127fc670a39d15eaa3869045fca0287ba7df9efa)
Diffstat (limited to 'libcli/smb')
| -rw-r--r-- | libcli/smb/smb2cli_ioctl.c | 33 |
1 files changed, 29 insertions, 4 deletions
diff --git a/libcli/smb/smb2cli_ioctl.c b/libcli/smb/smb2cli_ioctl.c index 8de76359a16..30906935b61 100644 --- a/libcli/smb/smb2cli_ioctl.c +++ b/libcli/smb/smb2cli_ioctl.c @@ -213,7 +213,21 @@ static void smb2cli_ioctl_done(struct tevent_req *subreq) return; } - if (input_buffer_length < dyn_len) { + ofs = input_buffer_length; + ofs = NDR_ROUND(ofs, 8); + + if (state->max_input_length == 0) { + /* + * If max_input_length is 0 we ignore + * the input_buffer_length, because + * Windows 2008 echos the DCERPC request + * from the requested input_buffer + * to the response input_buffer. + */ + input_buffer_length = 0; + } + + if (input_buffer_length > dyn_len) { tevent_req_nterror( req, NT_STATUS_INVALID_NETWORK_RESPONSE); return; @@ -228,8 +242,11 @@ static void smb2cli_ioctl_done(struct tevent_req *subreq) state->out_input_buffer.data = dyn; state->out_input_buffer.length = input_buffer_length; - ofs = input_buffer_length; - ofs = NDR_ROUND(ofs, 8); + if (ofs > dyn_len) { + tevent_req_nterror( + req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } dyn_ofs += ofs; dyn += ofs; @@ -243,7 +260,15 @@ static void smb2cli_ioctl_done(struct tevent_req *subreq) return; } - if (output_buffer_length < dyn_len) { + if (state->max_output_length == 0) { + /* + * We do the same logic as for + * max_input_length. + */ + output_buffer_length = 0; + } + + if (output_buffer_length > dyn_len) { tevent_req_nterror( req, NT_STATUS_INVALID_NETWORK_RESPONSE); return; |