Skip to content

Commit

Permalink
Revert "smb2_ioctl: fix truncated FSCTL_QUERY_ALLOCATED_RANGES respon…
Browse files Browse the repository at this point in the history
…ses"

This reverts commit 4bb2b46bac8dad426e1b2f0942ded6908c47f7d5.

Wrong patchset applied. This is the one for 4.21. The correct patchset
will be the subsequent commits.

See: https://bugzilla.samba.org/show_bug.cgi?id=15699

Signed-off-by: Jule Anger <janger@samba.org>
  • Loading branch information
Jule Anger committed Sep 2, 2024
1 parent 72aa92c commit 78ca7d3
Show file tree
Hide file tree
Showing 4 changed files with 24 additions and 38 deletions.
1 change: 1 addition & 0 deletions selftest/knownfail
Original file line number Diff line number Diff line change
Expand Up @@ -222,6 +222,7 @@
^samba3.smb2.lease.statopen3
^samba3.smb2.lease.unlink # we currently do not downgrade RH lease to R after unlink
^samba4.smb2.ioctl.compress_notsup.*\(ad_dc_ntvfs\)
^samba4.smb2.ioctl.sparse_qar_truncated # bug 15699
^samba3.raw.session.*reauth2 # maybe fix this?
^samba3.rpc.lsa.secrets.seal # This gives NT_STATUS_LOCAL_USER_SESSION_KEY
^samba3.rpc.samr.passwords.badpwdcount.samr.badPwdCount\(nt4_dc\) # We fail this test currently
Expand Down
4 changes: 1 addition & 3 deletions source3/smbd/smb2_ioctl.c
Original file line number Diff line number Diff line change
Expand Up @@ -268,8 +268,7 @@ static bool smbd_smb2_ioctl_is_failure(uint32_t ctl_code, NTSTATUS status,
if (NT_STATUS_EQUAL(status, STATUS_BUFFER_OVERFLOW)
&& ((ctl_code == FSCTL_PIPE_TRANSCEIVE)
|| (ctl_code == FSCTL_PIPE_PEEK)
|| (ctl_code == FSCTL_DFS_GET_REFERRALS)
|| (ctl_code == FSCTL_QUERY_ALLOCATED_RANGES))) {
|| (ctl_code == FSCTL_DFS_GET_REFERRALS))) {
return false;
}

Expand Down Expand Up @@ -345,7 +344,6 @@ static void smbd_smb2_request_ioctl_done(struct tevent_req *subreq)
* in:
* - fsctl_dfs_get_refers()
* - smbd_smb2_ioctl_pipe_read_done()
* - fsctl_qar()
*/
status = NT_STATUS_BUFFER_TOO_SMALL;
}
Expand Down
54 changes: 21 additions & 33 deletions source3/smbd/smb2_ioctl_filesys.c
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
Core SMB2 server
Copyright (C) Stefan Metzmacher 2009
Copyright (C) David Disseldorp 2013-2024
Copyright (C) David Disseldorp 2013-2015
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
Expand Down Expand Up @@ -538,7 +538,6 @@ static NTSTATUS fsctl_qar_seek_fill(TALLOC_CTX *mem_ctx,
struct files_struct *fsp,
off_t curr_off,
off_t max_off,
size_t in_max_output,
DATA_BLOB *qar_array_blob)
{
NTSTATUS status = NT_STATUS_NOT_SUPPORTED;
Expand Down Expand Up @@ -579,17 +578,6 @@ static NTSTATUS fsctl_qar_seek_fill(TALLOC_CTX *mem_ctx,
return NT_STATUS_INTERNAL_ERROR;
}

if (qar_array_blob->length + sizeof(qar_buf) > in_max_output) {
/*
* Earlier check ensures space for one range or more.
* Subsequent overflow results in a truncated response.
*/
DBG_NOTICE("truncated QAR output: need > %zu, max %zu\n",
qar_array_blob->length + sizeof(qar_buf),
in_max_output);
return STATUS_BUFFER_OVERFLOW;
}

qar_buf.file_off = data_off;
/* + 1 to convert maximum offset to length */
qar_buf.len = MIN(hole_off, max_off + 1) - data_off;
Expand Down Expand Up @@ -664,13 +652,6 @@ static NTSTATUS fsctl_qar(TALLOC_CTX *mem_ctx,
return NT_STATUS_INVALID_PARAMETER;
}

/* must have enough space for at least one range */
if (in_max_output < sizeof(struct file_alloced_range_buf)) {
DEBUG(2, ("QAR max %lu insufficient for one range\n",
(unsigned long)in_max_output));
return NT_STATUS_BUFFER_TOO_SMALL;
}

/*
* Maximum offset is either the last valid offset _before_ EOF, or the
* last byte offset within the requested range. -1 converts length to
Expand Down Expand Up @@ -706,24 +687,31 @@ static NTSTATUS fsctl_qar(TALLOC_CTX *mem_ctx,
status = fsctl_qar_buf_push(mem_ctx, &qar_buf, &qar_array_blob);
} else {
status = fsctl_qar_seek_fill(mem_ctx, fsp, qar_req.buf.file_off,
max_off, in_max_output,
&qar_array_blob);
max_off, &qar_array_blob);
}
if (!NT_STATUS_IS_OK(status)) {
return status;
}

if (NT_STATUS_IS_OK(status)
|| NT_STATUS_EQUAL(status, STATUS_BUFFER_OVERFLOW)) {
/* marshall response. STATUS_BUFFER_OVERFLOW=truncated */
qar_rsp.far_buf_array = qar_array_blob;
/* marshall response buffer. */
qar_rsp.far_buf_array = qar_array_blob;

ndr_ret = ndr_push_struct_blob(out_output, mem_ctx, &qar_rsp,
(ndr_push_flags_fn_t)ndr_push_fsctl_query_alloced_ranges_rsp);
if (ndr_ret != NDR_ERR_SUCCESS) {
DEBUG(0, ("failed to marshall QAR rsp\n"));
return NT_STATUS_INVALID_PARAMETER;
}
ndr_ret = ndr_push_struct_blob(out_output, mem_ctx, &qar_rsp,
(ndr_push_flags_fn_t)ndr_push_fsctl_query_alloced_ranges_rsp);
if (ndr_ret != NDR_ERR_SUCCESS) {
DEBUG(0, ("failed to marshall QAR rsp\n"));
return NT_STATUS_INVALID_PARAMETER;
}

return status;
if (out_output->length > in_max_output) {
DEBUG(2, ("QAR output len %lu exceeds max %lu\n",
(unsigned long)out_output->length,
(unsigned long)in_max_output));
data_blob_free(out_output);
return NT_STATUS_BUFFER_TOO_SMALL;
}

return NT_STATUS_OK;
}

static void smb2_ioctl_filesys_dup_extents_done(struct tevent_req *subreq);
Expand Down
3 changes: 1 addition & 2 deletions source4/libcli/smb2/ioctl.c
Original file line number Diff line number Diff line change
Expand Up @@ -86,8 +86,7 @@ static bool smb2_ioctl_is_failure(uint32_t ctl_code, NTSTATUS status,
if (NT_STATUS_EQUAL(status, STATUS_BUFFER_OVERFLOW)
&& ((ctl_code == FSCTL_PIPE_TRANSCEIVE)
|| (ctl_code == FSCTL_PIPE_PEEK)
|| (ctl_code == FSCTL_DFS_GET_REFERRALS)
|| (ctl_code == FSCTL_QUERY_ALLOCATED_RANGES))) {
|| (ctl_code == FSCTL_DFS_GET_REFERRALS))) {
return false;
}

Expand Down

0 comments on commit 78ca7d3

Please sign in to comment.