libcli/smb: allow unexpected padding in SMB2 READ responses

Make use of smb2cli_parse_dyn_buffer() in smb2cli_read_done()
as it was exactly introduced for a similar problem see:

    commit 4c6c71e1378401d66bf2ed230544a75f7b04376f
    Author:     Stefan Metzmacher <metze@samba.org>
    AuthorDate: Thu Jan 14 17:32:15 2021 +0100
    Commit:     Volker Lendecke <vl@samba.org>
    CommitDate: Fri Jan 15 08:36:34 2021 +0000

        libcli/smb: allow unexpected padding in SMB2 IOCTL responses

        A NetApp Ontap 7.3.7 SMB server add 8 padding bytes to an
        offset that's already 8 byte aligned.

        RN: Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7
        BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607

        Pair-Programmed-With: Volker Lendecke <vl@samba.org>

        Signed-off-by: Stefan Metzmacher <metze@samba.org>
        Signed-off-by: Volker Lendecke <vl@samba.org>
        Autobuild-User(master): Volker Lendecke <vl@samba.org>
        Autobuild-Date(master): Fri Jan 15 08:36:34 UTC 2021 on sn-devel-184

RN: Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jul 15 23:53:55 UTC 2021 on sn-devel-184

(cherry picked from commit 155348cda65b441a6c4db1ed84dbf1682d02973c)

diff --git a/libcli/smb/smb2cli_read.c b/libcli/smb/smb2cli_read.c
index 8110b65d432259b0e50d6799ef4ddedebb9c4628..c7f48741b8751d6df3a413fcb39e36df30957682 100644 (file)
--- a/libcli/smb/smb2cli_read.c
+++ b/libcli/smb/smb2cli_read.c
@@ -90,8 +90,13 @@ static void smb2cli_read_done(struct tevent_req *subreq)
                tevent_req_data(req,
                struct smb2cli_read_state);
        NTSTATUS status;
+       NTSTATUS error;
        struct iovec *iov;
+       const uint8_t dyn_ofs = SMB2_HDR_BODY + 0x10;
+       DATA_BLOB dyn_buffer = data_blob_null;
        uint8_t data_offset;
+       DATA_BLOB data_buffer = data_blob_null;
+       uint32_t next_offset = 0; /* this variable is completely ignored */
        static const struct smb2cli_req_expected_response expected[] = {
        {
                .status = STATUS_BUFFER_OVERFLOW,
@@ -117,14 +122,23 @@ static void smb2cli_read_done(struct tevent_req *subreq)
        data_offset = CVAL(iov[1].iov_base, 2);
        state->data_length = IVAL(iov[1].iov_base, 4);
 
-       if ((data_offset != SMB2_HDR_BODY + 16) ||
-           (state->data_length > iov[2].iov_len)) {
-               tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+       dyn_buffer = data_blob_const((uint8_t *)iov[2].iov_base,
+                                    iov[2].iov_len);
+
+       error = smb2cli_parse_dyn_buffer(dyn_ofs,
+                                        dyn_buffer,
+                                        dyn_ofs, /* min_offset */
+                                        data_offset,
+                                        state->data_length,
+                                        dyn_buffer.length, /* max_length */
+                                        &next_offset,
+                                        &data_buffer);
+       if (tevent_req_nterror(req, error)) {
                return;
        }
 
        state->recv_iov = iov;
-       state->data = (uint8_t *)iov[2].iov_base;
+       state->data = data_buffer.data;
 
        state->out_valid = true;
 

diff --git a/selftest/knownfail.d/smb2-read-bug14607 b/selftest/knownfail.d/smb2-read-bug14607
deleted file mode 100644 (file)
index 05b8adf..0000000
--- a/selftest/knownfail.d/smb2-read-bug14607
+++ /dev/null
@@ -1 +0,0 @@
-samba3.smb2.read.bug14607