From ee2574ae5675ef0ea9b14c13677acf6c003497e0 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 8 Jan 2019 16:09:46 +0100 Subject: [PATCH] s4:libcli/smb2: fix smb2_getinfo_send() marshalling BUG: https://bugzilla.samba.org/show_bug.cgi?id=13863 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison --- source4/libcli/smb2/getinfo.c | 21 ++++++++++++++++----- source4/libcli/smb2/smb2_calls.h | 8 ++++---- source4/smb_server/smb2/fileinfo.c | 2 +- source4/torture/smb2/compound.c | 4 ++-- 4 files changed, 23 insertions(+), 12 deletions(-) diff --git a/source4/libcli/smb2/getinfo.c b/source4/libcli/smb2/getinfo.c index 14d911683e7..591309c62f7 100644 --- a/source4/libcli/smb2/getinfo.c +++ b/source4/libcli/smb2/getinfo.c @@ -34,24 +34,35 @@ struct smb2_request *smb2_getinfo_send(struct smb2_tree *tree, struct smb2_getin NTSTATUS status; req = smb2_request_init_tree(tree, SMB2_OP_GETINFO, 0x28, true, - io->in.blob.length); + io->in.input_buffer.length); if (req == NULL) return NULL; SCVAL(req->out.body, 0x02, io->in.info_type); SCVAL(req->out.body, 0x03, io->in.info_class); SIVAL(req->out.body, 0x04, io->in.output_buffer_length); - SIVAL(req->out.body, 0x0C, io->in.reserved); - SIVAL(req->out.body, 0x08, io->in.input_buffer_length); + /* + * uint16_t input_buffer_offset + * uint16_t reserved + * uint32_t input_buffer_length + * + * We use smb2_push_o32s32_blob() which would + * expect uint32_t offset, uint32_t length. + * + * Everything is little endian, we can just + * overwrite the reserved field later. + */ SIVAL(req->out.body, 0x10, io->in.additional_information); SIVAL(req->out.body, 0x14, io->in.getinfo_flags); smb2_push_handle(req->out.body+0x18, &io->in.file.handle); /* this blob is used for quota queries */ - status = smb2_push_o32s32_blob(&req->out, 0x08, io->in.blob); + status = smb2_push_o32s32_blob(&req->out, 0x08, io->in.input_buffer); if (!NT_STATUS_IS_OK(status)) { talloc_free(req); return NULL; } + SSVAL(req->out.body, 0x0C, io->in.reserved); + smb2_transport_send(req); return req; @@ -127,7 +138,7 @@ struct smb2_request *smb2_getinfo_file_send(struct smb2_tree *tree, union smb_fi b.in.info_type = smb2_level & 0xFF; b.in.info_class = smb2_level >> 8; b.in.output_buffer_length = 0x10000; - b.in.input_buffer_length = 0; + b.in.input_buffer = data_blob_null; b.in.file.handle = io->generic.in.file.handle; if (io->generic.level == RAW_FILEINFO_SEC_DESC) { diff --git a/source4/libcli/smb2/smb2_calls.h b/source4/libcli/smb2/smb2_calls.h index bea0573c26d..b6c08c2325f 100644 --- a/source4/libcli/smb2/smb2_calls.h +++ b/source4/libcli/smb2/smb2_calls.h @@ -63,13 +63,13 @@ struct smb2_getinfo { uint8_t info_type; uint8_t info_class; uint32_t output_buffer_length; - /* uint32_t input_buffer_offset; */ - uint32_t reserved; - uint32_t input_buffer_length; + /* uint16_t input_buffer_offset; */ + uint16_t reserved; + /* uint32_t input_buffer_length; */ uint32_t additional_information; /* SMB2_GETINFO_ADD_* */ uint32_t getinfo_flags; /* level specific */ union smb_handle file; - DATA_BLOB blob; + DATA_BLOB input_buffer; } in; struct { diff --git a/source4/smb_server/smb2/fileinfo.c b/source4/smb_server/smb2/fileinfo.c index 8c493366426..10ea4eb8c5b 100644 --- a/source4/smb_server/smb2/fileinfo.c +++ b/source4/smb_server/smb2/fileinfo.c @@ -224,7 +224,7 @@ void smb2srv_getinfo_recv(struct smb2srv_request *req) info->in.getinfo_flags = IVAL(req->in.body, 0x14); info->in.file.ntvfs = smb2srv_pull_handle(req, req->in.body, 0x18); SMB2SRV_CHECK(smb2_pull_o16As32_blob(&req->in, op, - req->in.body+0x08, &info->in.blob)); + req->in.body+0x08, &info->in.input_buffer)); SMB2SRV_CHECK_FILE_HANDLE(info->in.file.ntvfs); SMB2SRV_CALL_NTVFS_BACKEND(smb2srv_getinfo_backend(op)); diff --git a/source4/torture/smb2/compound.c b/source4/torture/smb2/compound.c index 11fed0bb40c..87bacc90483 100644 --- a/source4/torture/smb2/compound.c +++ b/source4/torture/smb2/compound.c @@ -187,7 +187,7 @@ static bool test_compound_break(struct torture_context *tctx, gf.in.info_type = SMB2_GETINFO_FILE; gf.in.info_class = 0x16; gf.in.output_buffer_length = 0x1000; - gf.in.input_buffer_length = 0; + gf.in.input_buffer = data_blob_null; req[1] = smb2_getinfo_send(tree, &gf); @@ -1229,7 +1229,7 @@ static bool test_compound_interim2(struct torture_context *tctx, gf.in.info_type = SMB2_GETINFO_FILE; gf.in.info_class = 0x04; /* FILE_BASIC_INFORMATION */ gf.in.output_buffer_length = 0x1000; - gf.in.input_buffer_length = 0; + gf.in.input_buffer = data_blob_null; req[2] = smb2_getinfo_send(tree, &gf); -- 2.34.1