The branch, master has been updated
via 95595dd s3:libsmb: fix cli_write_and_x() against OS/2 print shares
(bug #5326)
via 0fb4991 s3:libsmb: correctly parse the LANMAN2.1 negprot response
from OS/2 (bug #8584)
via 9a3fe3a s3:libsmb: key_len is 8bit only in the NT1 case
from 26d736f s3: Remove two unused variables
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 95595dd93fd04999fcf56ecaab7c29b064d021f8
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Nov 8 08:25:16 2011 +0100
s3:libsmb: fix cli_write_and_x() against OS/2 print shares (bug #5326)
Print shares doesn't support CAP_LARGE_WRITEX, while it's negotiated
by the file server part.
metze
Autobuild-User: Stefan Metzmacher <me...@samba.org>
Autobuild-Date: Tue Nov 8 17:01:36 CET 2011 on sn-devel-104
commit 0fb4991116fe07956ad2355121d7b580486b9a45
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Nov 8 08:14:31 2011 +0100
s3:libsmb: correctly parse the LANMAN2.1 negprot response from OS/2 (bug
#8584)
metze
commit 9a3fe3a3292a780743df9dc4afd00864755d3dfd
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Nov 8 08:13:27 2011 +0100
s3:libsmb: key_len is 8bit only in the NT1 case
metze
-----------------------------------------------------------------------
Summary of changes:
source3/libsmb/cliconnect.c | 36 +++++++++++++++++++++++++++++++-----
source3/libsmb/clireadwrite.c | 19 +++++++++++++++----
2 files changed, 46 insertions(+), 9 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index af6c51b..8361715 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -2666,7 +2666,7 @@ static void cli_negprot_done(struct tevent_req *subreq)
bool server_allowed;
const char *server_signing = NULL;
bool ok;
- uint16_t key_len;
+ uint8_t key_len;
if (wct != 0x11) {
tevent_req_nterror(req,
NT_STATUS_INVALID_NETWORK_RESPONSE);
@@ -2802,6 +2802,10 @@ static void cli_negprot_done(struct tevent_req *subreq)
}
} else if (protocol >= PROTOCOL_LANMAN1) {
+ DATA_BLOB blob1;
+ ssize_t ret = 0;
+ uint16_t key_len;
+
if (wct != 0x0D) {
tevent_req_nterror(req,
NT_STATUS_INVALID_NETWORK_RESPONSE);
return;
@@ -2810,23 +2814,45 @@ static void cli_negprot_done(struct tevent_req *subreq)
server_security_mode = SVAL(vwv + 1, 0);
server_max_xmit = SVAL(vwv + 2, 0);
server_max_mux = SVAL(vwv + 3, 0);
+ server_readbraw = ((SVAL(vwv + 5, 0) & 0x1) != 0);
+ server_writebraw = ((SVAL(vwv + 5, 0) & 0x2) != 0);
server_session_key = IVAL(vwv + 6, 0);
server_time_zone = SVALS(vwv + 10, 0);
server_time_zone *= 60;
/* this time is converted to GMT by make_unix_date */
server_system_time = make_unix_date(
(char *)(vwv + 8), server_time_zone);
- server_readbraw = ((SVAL(vwv + 5, 0) & 0x1) != 0);
- server_writebraw = ((SVAL(vwv + 5, 0) & 0x2) != 0);
+ key_len = SVAL(vwv + 11, 0);
- if (num_bytes != 0 && num_bytes != 8) {
+ if (num_bytes < key_len) {
tevent_req_nterror(req,
NT_STATUS_INVALID_NETWORK_RESPONSE);
return;
}
- if (num_bytes == 8) {
+ if (key_len != 0 && key_len != 8) {
+ tevent_req_nterror(req,
NT_STATUS_INVALID_NETWORK_RESPONSE);
+ return;
+ }
+
+ if (key_len == 8) {
memcpy(server_challenge, bytes, 8);
}
+
+ blob1 = data_blob_const(bytes+key_len, num_bytes-key_len);
+ if (blob1.length > 0) {
+ ret = pull_string_talloc(state,
+ (char *)inbuf,
+ SVAL(inbuf, smb_flg2),
+ &server_workgroup,
+ blob1.data,
+ blob1.length,
+ STR_TERMINATE|
+ STR_ASCII);
+ if (ret == -1) {
+ tevent_req_oom(req);
+ return;
+ }
+ }
} else {
/* the old core protocol */
server_time_zone = get_time_zone(time(NULL));
diff --git a/source3/libsmb/clireadwrite.c b/source3/libsmb/clireadwrite.c
index e8c9017..79624ec 100644
--- a/source3/libsmb/clireadwrite.c
+++ b/source3/libsmb/clireadwrite.c
@@ -850,7 +850,7 @@ struct tevent_req *cli_write_andx_create(TALLOC_CTX
*mem_ctx,
return NULL;
}
- size = MIN(size, max_write);
+ state->size = MIN(size, max_write);
vwv = state->vwv;
@@ -862,8 +862,8 @@ struct tevent_req *cli_write_andx_create(TALLOC_CTX
*mem_ctx,
SIVAL(vwv+5, 0, 0);
SSVAL(vwv+7, 0, mode);
SSVAL(vwv+8, 0, 0);
- SSVAL(vwv+9, 0, (size>>16));
- SSVAL(vwv+10, 0, size);
+ SSVAL(vwv+9, 0, (state->size>>16));
+ SSVAL(vwv+10, 0, state->size);
SSVAL(vwv+11, 0,
cli_smb_wct_ofs(reqs_before, num_reqs_before)
@@ -933,7 +933,18 @@ static void cli_write_andx_done(struct tevent_req *subreq)
return;
}
state->written = SVAL(vwv+2, 0);
- state->written |= SVAL(vwv+4, 0)<<16;
+ if (state->size > UINT16_MAX) {
+ /*
+ * It is important that we only set the
+ * high bits only if we asked for a large write.
+ *
+ * OS/2 print shares get this wrong and may send
+ * invalid values.
+ *
+ * See bug #5326.
+ */
+ state->written |= SVAL(vwv+4, 0)<<16;
+ }
tevent_req_done(req);
}
--
Samba Shared Repository
