git.samba.org / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (from parent 1: 54d07da)
smbd/smb2_ioctl: fail zero length copy chunk requests
authorDavid Disseldorp <ddiss@samba.org>
Thu, 6 Feb 2014 19:12:21 +0000 (20:12 +0100)
committerJeremy Allison <jra@samba.org>
Fri, 7 Feb 2014 00:15:28 +0000 (16:15 -0800)
As documented in MS-SMB2 3.3.5.15.6 Handling a Server-Side Data Copy
Request, an invalid parameter response should be sent when:

The Length value in a single chunk is greater than
ServerSideCopyMaxChunkSize or *equal to zero*.

We do not currently abide by the latter part of this clause.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10424

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
source3/smbd/smb2_ioctl_network_fs.c patch | blob | history

diff --git a/source3/smbd/smb2_ioctl_network_fs.c b/source3/smbd/smb2_ioctl_network_fs.c
index a1d67f80a914e2d77c2771048eb284fb65e2f05c..986e97db618358ce6c9db0e2c9921ccb1f620b68 100644 (file)
--- a/source3/smbd/smb2_ioctl_network_fs.c
+++ b/source3/smbd/smb2_ioctl_network_fs.c
@@ -46,16 +46,31 @@ static NTSTATUS copychunk_check_limits(struct srv_copychunk_copy *cc_copy)
        uint32_t i;
        uint32_t total_len = 0;
 
+       /*
+        * [MS-SMB2] 3.3.5.15.6 Handling a Server-Side Data Copy Request
+        * Send and invalid parameter response if:
+        * - The ChunkCount value is greater than
+        *   ServerSideCopyMaxNumberofChunks
+        */
        if (cc_copy->chunk_count > COPYCHUNK_MAX_CHUNKS) {
                return NT_STATUS_INVALID_PARAMETER;
        }
 
        for (i = 0; i < cc_copy->chunk_count; i++) {
-               if (cc_copy->chunks[i].length > COPYCHUNK_MAX_CHUNK_LEN) {
+               /*
+                * - The Length value in a single chunk is greater than
+                *   ServerSideCopyMaxChunkSize or equal to zero.
+                */
+               if ((cc_copy->chunks[i].length == 0)
+                || (cc_copy->chunks[i].length > COPYCHUNK_MAX_CHUNK_LEN)) {
                        return NT_STATUS_INVALID_PARAMETER;
                }
                total_len += cc_copy->chunks[i].length;
        }
+       /*
+        * - Sum of Lengths in all chunks is greater than
+        *   ServerSideCopyMaxDataSize
+        */
        if (total_len > COPYCHUNK_MAX_TOTAL_LEN) {
                return NT_STATUS_INVALID_PARAMETER;
        }
Samba Shared Repository