s4:libcli/smb2: fix smb2_getinfo_send() marshalling

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13863

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/source4/libcli/smb2/getinfo.c b/source4/libcli/smb2/getinfo.c
index 14d911683e7296777bd0f334e1c8034d4d715b47..591309c62f77314b1ed3a3b4e1688f76946d9822 100644 (file)
--- a/source4/libcli/smb2/getinfo.c
+++ b/source4/libcli/smb2/getinfo.c
@@ -34,24 +34,35 @@ struct smb2_request *smb2_getinfo_send(struct smb2_tree *tree, struct smb2_getin
        NTSTATUS status;
 
        req = smb2_request_init_tree(tree, SMB2_OP_GETINFO, 0x28, true, 
-                                    io->in.blob.length);
+                                    io->in.input_buffer.length);
        if (req == NULL) return NULL;
 
        SCVAL(req->out.body, 0x02, io->in.info_type);
        SCVAL(req->out.body, 0x03, io->in.info_class);
        SIVAL(req->out.body, 0x04, io->in.output_buffer_length);
-       SIVAL(req->out.body, 0x0C, io->in.reserved);
-       SIVAL(req->out.body, 0x08, io->in.input_buffer_length);
+       /*
+        * uint16_t input_buffer_offset
+        * uint16_t reserved
+        * uint32_t input_buffer_length
+        *
+        * We use smb2_push_o32s32_blob() which would
+        * expect uint32_t offset, uint32_t length.
+        *
+        * Everything is little endian, we can just
+        * overwrite the reserved field later.
+        */
        SIVAL(req->out.body, 0x10, io->in.additional_information);
        SIVAL(req->out.body, 0x14, io->in.getinfo_flags);
        smb2_push_handle(req->out.body+0x18, &io->in.file.handle);
 
        /* this blob is used for quota queries */
-       status = smb2_push_o32s32_blob(&req->out, 0x08, io->in.blob);
+       status = smb2_push_o32s32_blob(&req->out, 0x08, io->in.input_buffer);
        if (!NT_STATUS_IS_OK(status)) {
                talloc_free(req);
                return NULL;
        }
+       SSVAL(req->out.body, 0x0C, io->in.reserved);
+
        smb2_transport_send(req);
 
        return req;
@@ -127,7 +138,7 @@ struct smb2_request *smb2_getinfo_file_send(struct smb2_tree *tree, union smb_fi
        b.in.info_type            = smb2_level & 0xFF;
        b.in.info_class           = smb2_level >> 8;
        b.in.output_buffer_length = 0x10000;
-       b.in.input_buffer_length  = 0;
+       b.in.input_buffer         = data_blob_null;
        b.in.file.handle          = io->generic.in.file.handle;
 
        if (io->generic.level == RAW_FILEINFO_SEC_DESC) {

diff --git a/source4/libcli/smb2/smb2_calls.h b/source4/libcli/smb2/smb2_calls.h
index bea0573c26d967b2fcee9786f1f3d7e0968a699b..b6c08c2325fa0e4c5da0c604ada5d511fc051d89 100644 (file)
--- a/source4/libcli/smb2/smb2_calls.h
+++ b/source4/libcli/smb2/smb2_calls.h
@@ -63,13 +63,13 @@ struct smb2_getinfo {
                uint8_t info_type;
                uint8_t info_class;
                uint32_t output_buffer_length;
-               /* uint32_t input_buffer_offset; */
-               uint32_t reserved;
-               uint32_t input_buffer_length;
+               /* uint16_t input_buffer_offset; */
+               uint16_t reserved;
+               /* uint32_t input_buffer_length; */
                uint32_t additional_information; /* SMB2_GETINFO_ADD_* */
                uint32_t getinfo_flags; /* level specific */
                union smb_handle file;
-               DATA_BLOB blob;
+               DATA_BLOB input_buffer;
        } in;
 
        struct {

diff --git a/source4/smb_server/smb2/fileinfo.c b/source4/smb_server/smb2/fileinfo.c
index 8c49336642610ce3e0ebe1847fa1c9ba676f1d4f..10ea4eb8c5baa2feb183bf381e18a83bb10e0978 100644 (file)
--- a/source4/smb_server/smb2/fileinfo.c
+++ b/source4/smb_server/smb2/fileinfo.c
@@ -224,7 +224,7 @@ void smb2srv_getinfo_recv(struct smb2srv_request *req)
        info->in.getinfo_flags          = IVAL(req->in.body, 0x14);
        info->in.file.ntvfs             = smb2srv_pull_handle(req, req->in.body, 0x18);
        SMB2SRV_CHECK(smb2_pull_o16As32_blob(&req->in, op, 
-                                           req->in.body+0x08, &info->in.blob));
+                                           req->in.body+0x08, &info->in.input_buffer));
 
        SMB2SRV_CHECK_FILE_HANDLE(info->in.file.ntvfs);
        SMB2SRV_CALL_NTVFS_BACKEND(smb2srv_getinfo_backend(op));

diff --git a/source4/torture/smb2/compound.c b/source4/torture/smb2/compound.c
index 11fed0bb40cc54992ddb468ca85e19ac61fe9b1d..87bacc904836439e42ce508c0dd4d1f82ae40374 100644 (file)
--- a/source4/torture/smb2/compound.c
+++ b/source4/torture/smb2/compound.c
@@ -187,7 +187,7 @@ static bool test_compound_break(struct torture_context *tctx,
        gf.in.info_type = SMB2_GETINFO_FILE;
        gf.in.info_class = 0x16;
        gf.in.output_buffer_length = 0x1000;
-       gf.in.input_buffer_length = 0;
+       gf.in.input_buffer = data_blob_null;
 
        req[1] = smb2_getinfo_send(tree, &gf);
 
@@ -1229,7 +1229,7 @@ static bool test_compound_interim2(struct torture_context *tctx,
     gf.in.info_type   = SMB2_GETINFO_FILE;
     gf.in.info_class  = 0x04; /* FILE_BASIC_INFORMATION */
     gf.in.output_buffer_length = 0x1000;
-    gf.in.input_buffer_length = 0;
+    gf.in.input_buffer = data_blob_null;
 
     req[2] = smb2_getinfo_send(tree, &gf);