From 0999366b6b36f3084870af0375d686b0cbaae698 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 10 Mar 2009 16:53:06 -0700
Subject: [PATCH] s3:signing: the seqnum should only be decremented by 1 for
 ntcancel requests

[MS-SMB] 3.3.5.1 Receiving Any Message says that the seqnum
is incremented by only for ntcancel requests for any other
request it's by incremented by 2, even if it doesn't expect
a response.

metze
---
 source/include/proto.h      | 2 +-
 source/libsmb/smb_signing.c | 6 ++++--
 source/smbd/aio.c           | 8 ++++----
 source/smbd/nttrans.c       | 2 +-
 4 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/source/include/proto.h b/source/include/proto.h
index c3df0ae5790..51405f05aaf 100644
--- a/source/include/proto.h
+++ b/source/include/proto.h
@@ -4942,7 +4942,7 @@ bool srv_oplock_set_signing(bool onoff);
 bool srv_check_sign_mac(const char *inbuf, bool must_be_ok);
 void srv_calculate_sign_mac(char *outbuf);
 void srv_defer_sign_response(uint16 mid);
-void srv_cancel_sign_response(uint16 mid);
+void srv_cancel_sign_response(uint16 mid, bool cancel);
 void srv_set_signing_negotiated(void);
 bool srv_is_signing_active(void);
 bool srv_is_signing_negotiated(void);
diff --git a/source/libsmb/smb_signing.c b/source/libsmb/smb_signing.c
index ea1eb05cfb1..55b30d476f0 100644
--- a/source/libsmb/smb_signing.c
+++ b/source/libsmb/smb_signing.c
@@ -865,7 +865,7 @@ void srv_defer_sign_response(uint16 mid)
  cancelled by mid. This should never find one....
 ************************************************************/
 
-void srv_cancel_sign_response(uint16 mid)
+void srv_cancel_sign_response(uint16 mid, bool cancel)
 {
 	struct smb_basic_signing_context *data;
 	uint32 dummy_seq;
@@ -884,7 +884,9 @@ void srv_cancel_sign_response(uint16 mid)
 		;
 
 	/* cancel doesn't send a reply so doesn't burn a sequence number. */
-	data->send_seq_num -= 1;
+	if (cancel) {
+		data->send_seq_num -= 1;
+	}
 }
 
 /***********************************************************
diff --git a/source/smbd/aio.c b/source/smbd/aio.c
index c3fd0a2bc0e..6c468ac8782 100644
--- a/source/smbd/aio.c
+++ b/source/smbd/aio.c
@@ -442,7 +442,7 @@ static int handle_aio_read_complete(struct aio_extra *aio_ex)
 		/* If errno is ECANCELED then don't return anything to the
 		 * client. */
 		if (errno == ECANCELED) {
-			srv_cancel_sign_response(aio_ex->mid);
+			srv_cancel_sign_response(aio_ex->mid, false);
 			return 0;
 		}
 
@@ -536,7 +536,7 @@ static int handle_aio_write_complete(struct aio_extra *aio_ex)
 		/* If errno is ECANCELED then don't return anything to the
 		 * client. */
 		if (errno == ECANCELED) {
-			srv_cancel_sign_response(aio_ex->mid);
+			srv_cancel_sign_response(aio_ex->mid, false);
 			return 0;
 		}
 
@@ -648,7 +648,7 @@ int process_aio_queue(void)
 		if (!aio_ex) {
 			DEBUG(3,("process_aio_queue: Can't find record to "
 				 "match mid %u.\n", (unsigned int)mid));
-			srv_cancel_sign_response(mid);
+			srv_cancel_sign_response(mid, false);
 			continue;
 		}
 
@@ -658,7 +658,7 @@ int process_aio_queue(void)
 			 * ignore. */
 			DEBUG( 3,( "process_aio_queue: file closed whilst "
 				   "aio outstanding.\n"));
-			srv_cancel_sign_response(mid);
+			srv_cancel_sign_response(mid, false);
 			continue;
 		}
 
diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c
index a3f5114bdf9..0bd37a5d011 100644
--- a/source/smbd/nttrans.c
+++ b/source/smbd/nttrans.c
@@ -1076,7 +1076,7 @@ void reply_ntcancel(struct smb_request *req)
 	START_PROFILE(SMBntcancel);
 	remove_pending_change_notify_requests_by_mid(req->mid);
 	remove_pending_lock_requests_by_mid(req->mid);
-	srv_cancel_sign_response(req->mid);
+	srv_cancel_sign_response(req->mid, true);
 
 	DEBUG(3,("reply_ntcancel: cancel called on mid = %d.\n", req->mid));
 
-- 
2.11.4.GIT