From: Jeremy Allison <jra@samba.org>
Date: Mon, 13 Jun 2016 16:30:25 +0000 (-0700)
Subject: s3: smbd: In reply_read_and_X() SMB1 server is overwriting part of the 'reserved... 
X-Git-Tag: samba-4.3.12~131
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=13053f38fbbcbcb8fcb4e6779ccbc43f4906f0d8;p=thirdparty%2Fsamba.git

s3: smbd: In reply_read_and_X() SMB1 server is overwriting part of the 'reserved' zero fields with reply data length.

This occurred due to old code that used to do:

SSVAL(smb_buf(req->outbuf),-2,nread);

to set the reply length. This code was not needed,
as srv_set_message() was already correctly setting
the bcc length and was probably left from much
earlier legacy code.

However, in commit ddaa65ef6e049a185281c4d5deca4045e3b085e2
this was converted to do:

SSVAL(req->outbuf,smb_vwv11,smb_maxcnt);

This code actually overwrites the last 'reserved'
field in the SMB_COM_READ_ANDX packet reply, but we
never noticed as no client (or server code) looks at or
checks vwv11 in a SMB_COM_READ_ANDX reply.

[MS-SMB] shows for SMB_COM_READ_ANDX reply:

SMB_Parameters
{
        UCHAR WordCount;
        Words
        {
                UCHAR AndXCommand;
                UCHAR AndXReserved;
                USHORT AndXOffset;
                USHORT Available;
                USHORT DataCompactionMode;
                USHORT Reserved1;
                USHORT DataLength;
                USHORT DataOffset;
                USHORT DataLengthHigh;
                USHORT Reserved2[4];
        }
}
SMB_Data
{
        USHORT ByteCount;
        Bytes
        {
                UCHAR Pad[] (optional);
                UCHAR Data[variable];
        }

and indeed checking wireshark from Win2012R2
we find that smbd is writing the returned
read length into smb_vwv11 and Windows leaves
it as zeros (reserved).

Also fix the same problem in the named pipes code.

Torture test to ensure Reserved2[4] replies
are zero to follow.

https://bugzilla.samba.org/show_bug.cgi?id=11845

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit e57f9e15d08ed46b2fac2562d1027c6a2ba80dac)
---

diff --git a/source3/smbd/pipes.c b/source3/smbd/pipes.c
index 455dbf0cf49..60c9ccbe89c 100644
--- a/source3/smbd/pipes.c
+++ b/source3/smbd/pipes.c
@@ -492,7 +492,6 @@ static void pipe_read_andx_done(struct tevent_req *subreq)
 	      + 12 * sizeof(uint16_t) /* vwv */
 	      + 2		/* the buflen field */
 	      + 1);		/* padding byte */
-	SSVAL(req->outbuf,smb_vwv11,state->smb_maxcnt);
 
 	DEBUG(3,("readX-IPC min=%d max=%d nread=%d\n",
 		 state->smb_mincnt, state->smb_maxcnt, (int)nread));
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index e124a5072ba..a913511f9f4 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -3776,7 +3776,6 @@ int setup_readX_header(char *outbuf, size_t smb_maxcnt)
 	      + 2		/* the buflen field */
 	      + 1);		/* padding byte */
 	SSVAL(outbuf,smb_vwv7,(smb_maxcnt >> 16));
-	SSVAL(outbuf,smb_vwv11,smb_maxcnt);
 	SCVAL(smb_buf(outbuf), 0, 0); /* padding byte */
 	/* Reset the outgoing length, set_message truncates at 0x1FFFF. */
 	_smb_setlen_large(outbuf,