big-one Cdiff usr/src/uts/common/fs/smbsrv/smb_nt_transact

Print this page

NEX-4878 CIFS assertion failed on common/fs/smbsrv/smb_sd.c, line: 57
Reviewed by: Rick McNeal <rick.mcneal@nexenta.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
NEX-1635 Codenomicon: SMB2 TC: 157974 Panic in smb2_create/smb_decode_sd
SMB-11 SMB2 message parse & dispatch
SMB-12 SMB2 Negotiate Protocol
SMB-13 SMB2 Session Setup
SMB-14 SMB2 Logoff
SMB-15 SMB2 Tree Connect
SMB-16 SMB2 Tree Disconnect
SMB-17 SMB2 Create
SMB-18 SMB2 Close
SMB-19 SMB2 Flush
SMB-20 SMB2 Read
SMB-21 SMB2 Write
SMB-22 SMB2 Lock/Unlock
SMB-23 SMB2 Ioctl
SMB-24 SMB2 Cancel
SMB-25 SMB2 Echo
SMB-26 SMB2 Query Dir
SMB-27 SMB2 Change Notify
SMB-28 SMB2 Query Info
SMB-29 SMB2 Set Info
SMB-30 SMB2 Oplocks
SMB-53 SMB2 Create Context options
(SMB2 code review cleanup 1, 2, 3)


*** 19,29 ****
   * CDDL HEADER END
   */
  
  /*
   * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
!  * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
   */
  
  #include <smbsrv/smb_kproto.h>
  
  static void smb_encode_sacl(mbuf_chain_t *, smb_acl_t *);
--- 19,29 ----
   * CDDL HEADER END
   */
  
  /*
   * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
!  * Copyright 2016 Nexenta Systems, Inc.  All rights reserved.
   */
  
  #include <smbsrv/smb_kproto.h>
  
  static void smb_encode_sacl(mbuf_chain_t *, smb_acl_t *);
*** 369,391 ****
          struct mbuf_chain sdbuf;
          uint32_t owner_offs;
          uint32_t group_offs;
          uint32_t sacl_offs;
          uint32_t dacl_offs;
  
          smb_sd_init(sd, SECURITY_DESCRIPTOR_REVISION);
  
          (void) MBC_SHADOW_CHAIN(&sdbuf, mbc,
              mbc->chain_offset,
              mbc->max_bytes - mbc->chain_offset);
  
!         if (smb_mbc_decodef(&sdbuf, "b.wllll",
              &sd->sd_revision, &sd->sd_control,
!             &owner_offs, &group_offs, &sacl_offs, &dacl_offs))
!                 goto decode_error;
  
          sd->sd_control &= ~SE_SELF_RELATIVE;
  
          if (owner_offs != 0) {
                  if (owner_offs < SMB_SD_HDRSIZE)
                          goto decode_error;
  
--- 369,394 ----
          struct mbuf_chain sdbuf;
          uint32_t owner_offs;
          uint32_t group_offs;
          uint32_t sacl_offs;
          uint32_t dacl_offs;
+         int rc;
  
          smb_sd_init(sd, SECURITY_DESCRIPTOR_REVISION);
  
          (void) MBC_SHADOW_CHAIN(&sdbuf, mbc,
              mbc->chain_offset,
              mbc->max_bytes - mbc->chain_offset);
  
!         rc = smb_mbc_decodef(&sdbuf, "b.wllll",
              &sd->sd_revision, &sd->sd_control,
!             &owner_offs, &group_offs, &sacl_offs, &dacl_offs);
  
+         /* Prevent disallowed flags in smb_sd_term. */
          sd->sd_control &= ~SE_SELF_RELATIVE;
+         if (rc != 0)
+                 goto decode_error;
  
          if (owner_offs != 0) {
                  if (owner_offs < SMB_SD_HDRSIZE)
                          goto decode_error;