Re: [Samba] Problem with Win95 + DFS clients (fwd)

[Jeremy Allison]

On Fri, Sep 05, 2003 at 08:14:26PM +0800, [EMAIL PROTECTED] wrote:
 Hi,
 
 I've found a problem with samba when printing from a client running win95 
 + DFS. The print fails with a segmentation fault. The problem is that 
 Win95 does not return the proper file_fsp( smb_vwv0) when doing an IOCTL 
 request.This causes the file_fsp call in reply_ioctl (smbd/reply.c)  to 
 fail cause a segmentation fault.
 
 I do not understand how samba work, but here is my working patch for this. I 
 just copied the fid from the last open_And_X call and write it into inbuf 
 if the file_fsp is different.

Thanks a lot for this. I've committed a patch that rejects the call
rather than core dumping. I'm considering your patch to save the old
fnum and re-use it - I'm not sure that's correct in this case.

Thanks for the fix though !

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Problem with Win95 + DFS clients (fwd)

[is]

Hi,

I've found a problem with samba when printing from a client running win95 
+ DFS. The print fails with a segmentation fault. The problem is that 
Win95 does not return the proper file_fsp( smb_vwv0) when doing an IOCTL 
request.This causes the file_fsp call in reply_ioctl (smbd/reply.c)  to 
fail cause a segmentation fault.

I do not understand how samba work, but here is my working patch for this. I 
just copied the fid from the last open_And_X call and write it into inbuf 
if the file_fsp is different.

Attached here is the diff. The patch is only on 
/smbd/reply.c  

Thank you.
 
Iskantharajah T

--- ./reply.c   Mon Apr  7 09:54:00 2003
+++ reply.c.new Fri Sep  5 19:38:51 2003
@@ -45,6 +45,10 @@
  Report a possible attack via the password buffer overflow bug.
 /
 
+/*iskantha Problem with win95 + DFS*/
+static int hack_fid;
+
+
 static void overflow_attack(int len)
 {
if( DEBUGLVL( 0 ) ) {
@@ -429,8 +433,26 @@
uint32 ioctl_code = (device  16) + function;
int replysize, outsize;
char *p;
+   int temp = 0;
files_struct *fsp = file_fsp(inbuf,smb_vwv0);
-   START_PROFILE(SMBioctl);
+int fid = SVAL(inbuf,smb_vwv0);
+
+DEBUG ( 4, (  smbvwv0 before = %i ( 0x%x )\n, fid, fid));
+   /* hack for Win95 + dfs . Does not give proper value of fid in request 
+Value taken from last open_and_X */
+if ( fid != hack_fid ) { 
+   SSVAL(inbuf, smb_vwv0, hack_fid );
+   fsp = file_fsp(inbuf,smb_vwv0);
+   };
+   fid = SVAL(inbuf,smb_vwv0);
+   DEBUG ( 4, (  smbvwv0 after = %i ( 0x%x )\n, fid, fid));
+ 
+   /* iskantha - hack fid */
+if ( fsp == NULL ) {
+   DEBUG( 0, (FSP still null));
+   };
+
+START_PROFILE(SMBioctl);
 
DEBUG(4, (Received IOCTL (code 0x%x)\n, ioctl_code));
 
@@ -453,7 +475,10 @@
switch (ioctl_code)
{
case IOCTL_QUERY_JOB_INFO:  
-   SSVAL(p,0,fsp-print_jobid); /* Job number */
+   if ( fsp != NULL ) 
+   SSVAL(p,0,fsp-print_jobid); /* Job number */
+   else
+   SSVAL(p,0,temp); 
StrnCpy(p+2, global_myname, 15); /* Our NetBIOS name */
StrnCpy(p+18, lp_servicename(SNUM(conn)), 13); /* Service name */
break;
@@ -1782,6 +1807,11 @@
   SSVAL(outbuf,smb_vwv11,smb_action);
 
   END_PROFILE(SMBopenX);
+  /* iskantha : attach hack_fid to last fnum */
+  hack_fid = fsp-fnum;
+  DEBUG(4,(open_and_X connect: FID = %d ( %x ) hack_fid = %d \n,
+fsp-fnum, fsp-fnum , hack_fid ));  
+
   return chain_reply(inbuf,outbuf,length,bufsize);
 }
 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba