GitLab has been upgraded to 13.7.4 If you encounter any issues mail code@riscosopen.org

Commit 1052e13e authored by Chris Collins's avatar Chris Collins Committed by ROOL

Fix SMB read to not exceed our negotiated buffer size

The limit for data length in the read operation is set by
MaxBufferSize (MAX_RX_BLOCK_SIZE in the source).
The problem is, in executing the read, there was no allowance for the
SMB overhead, so we're asking for reads that produce packets larger than
our buffer, which Samba4 is rightfully rejecting and giving us a short
response to fit into the buffer we said we needed it to fit into.

Actually, Samba should abort the connection, but it responds to deal
with Win2k having a similar bug.

Ref:
 * Definition of MaxBufferSize [MS-CIFS v20180912 s 2.2.4.53.1, pg 282]
 * Definition of SMB_COM_READ [MS-CIFS v20180912 s2.2.4.11, pg 120]

Version 2.66. Tagged as 'OmniLanManFS-2_66'
parent e7ce75bf
/* (2.65)
/* (2.66)
*
* This file is automatically maintained by srccommit, do not edit manually.
*
*/
#define Module_MajorVersion_CMHG 2.65
#define Module_MajorVersion_CMHG 2.66
#define Module_MinorVersion_CMHG
#define Module_Date_CMHG 11 Jul 2020
#define Module_Date_CMHG 31 Aug 2020
#define Module_MajorVersion "2.65"
#define Module_Version 265
#define Module_MajorVersion "2.66"
#define Module_Version 266
#define Module_MinorVersion ""
#define Module_Date "11 Jul 2020"
#define Module_Date "31 Aug 2020"
#define Module_ApplicationDate "11-Jul-20"
#define Module_ApplicationDate "31-Aug-20"
#define Module_ComponentName "OmniLanManFS"
#define Module_FullVersion "2.65"
#define Module_HelpVersion "2.65 (11 Jul 2020)"
#define Module_LibraryVersionInfo "2:65"
#define Module_FullVersion "2.66"
#define Module_HelpVersion "2.66 (31 Aug 2020)"
#define Module_LibraryVersionInfo "2:66"
......@@ -2582,6 +2582,16 @@ err_t SMB_GetLength ( int FH, uint *pOutLen )
/* ---------------- */
/* The maximum read length is bound by MAX_RX_BLOCK_SIZE which dictates
* the largest SMB *MESSAGE* we can receive - we need to remove the SMB
* header and response overheads.
*
* SMBHDR is the SMB header and the first byte of the parameter block
* (pair count). The parameter block has 5 shorts (10 bytes) in it.
* 2 bytes for the data block length encoding. 3 bytes for the data block
* header.
*/
#define MAX_RECV_SIZE (MAX_RX_BLOCK_SIZE - SMBHDR_SIZE - 10 - 2 - 3)
err_t SMB_Read ( int FH, uint offset, uint len, BYTE *where,
uint *pOutLen )
......@@ -2603,7 +2613,7 @@ err_t SMB_Read ( int FH, uint offset, uint len, BYTE *where,
if ( hS->hServer->ProtFlags & PROT_READRAW )
{
while ( len_left > MAX_RX_BLOCK_SIZE )
while ( len_left > MAX_RECV_SIZE )
{
n_read = SMB_ReadRaw ( hS, fid, offset, len_left, where );
if ( n_read == 0 ) /* Didn't work? Find out why */
......@@ -2620,7 +2630,7 @@ err_t SMB_Read ( int FH, uint offset, uint len, BYTE *where,
while ( len_left > 0 )
{
SMB_TxWords[0] = fid;
SMB_TxWords[1] = min(len_left, MAX_RX_BLOCK_SIZE);
SMB_TxWords[1] = min(len_left, MAX_RECV_SIZE);
SMB_TxWords[2] = offset & 0xFFFF;
SMB_TxWords[3] = (offset >> 16 );
SMB_TxWords[4] = (len_left);
......@@ -2649,7 +2659,7 @@ err_t SMB_Read ( int FH, uint offset, uint len, BYTE *where,
FreeChain(pB_res);
if ( n_read < MAX_RX_BLOCK_SIZE ) /* Reached end of file */
if ( n_read < MAX_RECV_SIZE ) /* Reached end of file */
break;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment