From 1271434175a3858abbb3aed88d0bd3ee2eb302a7 Mon Sep 17 00:00:00 2001 From: David Disseldorp Date: Thu, 6 Feb 2014 20:12:21 +0100 Subject: [PATCH] smbd/smb2_ioctl: fail zero length copy chunk requests As documented in MS-SMB2 3.3.5.15.6 Handling a Server-Side Data Copy Request, an invalid parameter response should be sent when: The Length value in a single chunk is greater than ServerSideCopyMaxChunkSize or *equal to zero*. We do not currently abide by the latter part of this clause. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10424 Signed-off-by: David Disseldorp Reviewed-by: Jeremy Allison (cherry picked from commit 00906f9604ad3e633e3d3cbc8d9dc4e2e305a455) --- source3/smbd/smb2_ioctl_network_fs.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/source3/smbd/smb2_ioctl_network_fs.c b/source3/smbd/smb2_ioctl_network_fs.c index 8757e74c67b..49c2715df83 100644 --- a/source3/smbd/smb2_ioctl_network_fs.c +++ b/source3/smbd/smb2_ioctl_network_fs.c @@ -46,16 +46,31 @@ static NTSTATUS copychunk_check_limits(struct srv_copychunk_copy *cc_copy) uint32_t i; uint32_t total_len = 0; + /* + * [MS-SMB2] 3.3.5.15.6 Handling a Server-Side Data Copy Request + * Send and invalid parameter response if: + * - The ChunkCount value is greater than + * ServerSideCopyMaxNumberofChunks + */ if (cc_copy->chunk_count > COPYCHUNK_MAX_CHUNKS) { return NT_STATUS_INVALID_PARAMETER; } for (i = 0; i < cc_copy->chunk_count; i++) { - if (cc_copy->chunks[i].length > COPYCHUNK_MAX_CHUNK_LEN) { + /* + * - The Length value in a single chunk is greater than + * ServerSideCopyMaxChunkSize or equal to zero. + */ + if ((cc_copy->chunks[i].length == 0) + || (cc_copy->chunks[i].length > COPYCHUNK_MAX_CHUNK_LEN)) { return NT_STATUS_INVALID_PARAMETER; } total_len += cc_copy->chunks[i].length; } + /* + * - Sum of Lengths in all chunks is greater than + * ServerSideCopyMaxDataSize + */ if (total_len > COPYCHUNK_MAX_TOTAL_LEN) { return NT_STATUS_INVALID_PARAMETER; } -- 2.11.4.GIT