The branch, master has been updated via 95595dd s3:libsmb: fix cli_write_and_x() against OS/2 print shares (bug #5326) via 0fb4991 s3:libsmb: correctly parse the LANMAN2.1 negprot response from OS/2 (bug #8584) via 9a3fe3a s3:libsmb: key_len is 8bit only in the NT1 case from 26d736f s3: Remove two unused variables
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 95595dd93fd04999fcf56ecaab7c29b064d021f8 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Nov 8 08:25:16 2011 +0100 s3:libsmb: fix cli_write_and_x() against OS/2 print shares (bug #5326) Print shares doesn't support CAP_LARGE_WRITEX, while it's negotiated by the file server part. metze Autobuild-User: Stefan Metzmacher <me...@samba.org> Autobuild-Date: Tue Nov 8 17:01:36 CET 2011 on sn-devel-104 commit 0fb4991116fe07956ad2355121d7b580486b9a45 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Nov 8 08:14:31 2011 +0100 s3:libsmb: correctly parse the LANMAN2.1 negprot response from OS/2 (bug #8584) metze commit 9a3fe3a3292a780743df9dc4afd00864755d3dfd Author: Stefan Metzmacher <me...@samba.org> Date: Tue Nov 8 08:13:27 2011 +0100 s3:libsmb: key_len is 8bit only in the NT1 case metze ----------------------------------------------------------------------- Summary of changes: source3/libsmb/cliconnect.c | 36 +++++++++++++++++++++++++++++++----- source3/libsmb/clireadwrite.c | 19 +++++++++++++++---- 2 files changed, 46 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index af6c51b..8361715 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -2666,7 +2666,7 @@ static void cli_negprot_done(struct tevent_req *subreq) bool server_allowed; const char *server_signing = NULL; bool ok; - uint16_t key_len; + uint8_t key_len; if (wct != 0x11) { tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); @@ -2802,6 +2802,10 @@ static void cli_negprot_done(struct tevent_req *subreq) } } else if (protocol >= PROTOCOL_LANMAN1) { + DATA_BLOB blob1; + ssize_t ret = 0; + uint16_t key_len; + if (wct != 0x0D) { tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); return; @@ -2810,23 +2814,45 @@ static void cli_negprot_done(struct tevent_req *subreq) server_security_mode = SVAL(vwv + 1, 0); server_max_xmit = SVAL(vwv + 2, 0); server_max_mux = SVAL(vwv + 3, 0); + server_readbraw = ((SVAL(vwv + 5, 0) & 0x1) != 0); + server_writebraw = ((SVAL(vwv + 5, 0) & 0x2) != 0); server_session_key = IVAL(vwv + 6, 0); server_time_zone = SVALS(vwv + 10, 0); server_time_zone *= 60; /* this time is converted to GMT by make_unix_date */ server_system_time = make_unix_date( (char *)(vwv + 8), server_time_zone); - server_readbraw = ((SVAL(vwv + 5, 0) & 0x1) != 0); - server_writebraw = ((SVAL(vwv + 5, 0) & 0x2) != 0); + key_len = SVAL(vwv + 11, 0); - if (num_bytes != 0 && num_bytes != 8) { + if (num_bytes < key_len) { tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); return; } - if (num_bytes == 8) { + if (key_len != 0 && key_len != 8) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + + if (key_len == 8) { memcpy(server_challenge, bytes, 8); } + + blob1 = data_blob_const(bytes+key_len, num_bytes-key_len); + if (blob1.length > 0) { + ret = pull_string_talloc(state, + (char *)inbuf, + SVAL(inbuf, smb_flg2), + &server_workgroup, + blob1.data, + blob1.length, + STR_TERMINATE| + STR_ASCII); + if (ret == -1) { + tevent_req_oom(req); + return; + } + } } else { /* the old core protocol */ server_time_zone = get_time_zone(time(NULL)); diff --git a/source3/libsmb/clireadwrite.c b/source3/libsmb/clireadwrite.c index e8c9017..79624ec 100644 --- a/source3/libsmb/clireadwrite.c +++ b/source3/libsmb/clireadwrite.c @@ -850,7 +850,7 @@ struct tevent_req *cli_write_andx_create(TALLOC_CTX *mem_ctx, return NULL; } - size = MIN(size, max_write); + state->size = MIN(size, max_write); vwv = state->vwv; @@ -862,8 +862,8 @@ struct tevent_req *cli_write_andx_create(TALLOC_CTX *mem_ctx, SIVAL(vwv+5, 0, 0); SSVAL(vwv+7, 0, mode); SSVAL(vwv+8, 0, 0); - SSVAL(vwv+9, 0, (size>>16)); - SSVAL(vwv+10, 0, size); + SSVAL(vwv+9, 0, (state->size>>16)); + SSVAL(vwv+10, 0, state->size); SSVAL(vwv+11, 0, cli_smb_wct_ofs(reqs_before, num_reqs_before) @@ -933,7 +933,18 @@ static void cli_write_andx_done(struct tevent_req *subreq) return; } state->written = SVAL(vwv+2, 0); - state->written |= SVAL(vwv+4, 0)<<16; + if (state->size > UINT16_MAX) { + /* + * It is important that we only set the + * high bits only if we asked for a large write. + * + * OS/2 print shares get this wrong and may send + * invalid values. + * + * See bug #5326. + */ + state->written |= SVAL(vwv+4, 0)<<16; + } tevent_req_done(req); } -- Samba Shared Repository