samba - Sep 2003 - Problem with Win95 + DFS clients (fwd)

Hi,

I've found a problem with samba when printing from a client running win95 
+ DFS. The print fails with a segmentation fault. The problem is that 
Win95 does not return the proper file_fsp( smb_vwv0) when doing an IOCTL 
request.This causes the file_fsp call in reply_ioctl (smbd/reply.c)  to 
fail cause a segmentation fault.

I do not understand how samba work, but here is my working patch for this. I 
just copied the fid from the last open_And_X call and write it into inbuf 
if the file_fsp is different.

Attached here is the diff. The patch is only on 
/smbd/reply.c  

Thank you.
 
Iskantharajah T

-------------- next part --------------
--- ./reply.c	Mon Apr  7 09:54:00 2003
+++ reply.c.new	Fri Sep  5 19:38:51 2003
@@ -45,6 +45,10 @@
  Report a possible attack via the password buffer overflow bug.
 ****************************************************************************/
 
+/*iskantha Problem with win95 + DFS*/
+static int hack_fid;
+
+
 static void overflow_attack(int len)
 {
 	if( DEBUGLVL( 0 ) ) {
@@ -429,8 +433,26 @@
 	uint32 ioctl_code = (device << 16) + function;
 	int replysize, outsize;
 	char *p;
+	int temp = 0;
 	files_struct *fsp = file_fsp(inbuf,smb_vwv0);
-	START_PROFILE(SMBioctl);
+        int fid = SVAL(inbuf,smb_vwv0);
+
+        DEBUG ( 4, ( " smbvwv0 before = %i ( 0x%x )\n", fid, fid));
+	/* hack for Win95 + dfs . Does not give proper value of fid in request 
+            Value taken from last open_and_X */
+        if ( fid != hack_fid ) { 
+		SSVAL(inbuf, smb_vwv0, hack_fid );
+		fsp = file_fsp(inbuf,smb_vwv0);
+		};
+ 	fid = SVAL(inbuf,smb_vwv0);
+	DEBUG ( 4, ( " smbvwv0 after = %i ( 0x%x )\n", fid, fid));
+ 
+       /* iskantha - hack fid */
+        if ( fsp == NULL ) {
+		DEBUG( 0, ("FSP still null"));
+		};
+
+        START_PROFILE(SMBioctl);
 
 	DEBUG(4, ("Received IOCTL (code 0x%x)\n", ioctl_code));
 
@@ -453,7 +475,10 @@
 	switch (ioctl_code)
 	{
 	    case IOCTL_QUERY_JOB_INFO:		    
-		SSVAL(p,0,fsp->print_jobid);             /* Job number */
+	        if ( fsp != NULL ) 
+		    SSVAL(p,0,fsp->print_jobid);             /* Job number */
+		else
+		    SSVAL(p,0,temp); 
 		StrnCpy(p+2, global_myname, 15);         /* Our NetBIOS name */
 		StrnCpy(p+18, lp_servicename(SNUM(conn)), 13); /* Service name */
 		break;
@@ -1782,6 +1807,11 @@
   SSVAL(outbuf,smb_vwv11,smb_action);
 
   END_PROFILE(SMBopenX);
+  /* iskantha : attach hack_fid to last fnum */
+  hack_fid = fsp->fnum;
+  DEBUG(4,("open_and_X connect: FID = %d ( %x ) hack_fid = %d \n",
+			 fsp->fnum, fsp->fnum , hack_fid ));      
+
   return chain_reply(inbuf,outbuf,length,bufsize);
 }

On Fri, Sep 05, 2003 at 08:14:26PM +0800, is@tracetec.com.my
wrote:
> Hi,
> 
> I've found a problem with samba when printing from a client running
win95
> + DFS. The print fails with a segmentation fault. The problem is that 
> Win95 does not return the proper file_fsp( smb_vwv0) when doing an IOCTL 
> request.This causes the file_fsp call in reply_ioctl (smbd/reply.c)  to 
> fail cause a segmentation fault.
> 
> I do not understand how samba work, but here is my working patch for this.
I
> just copied the fid from the last open_And_X call and write it into inbuf 
> if the file_fsp is different.
Thanks a lot for this. I've committed a patch that rejects the call
rather than core dumping. I'm considering your patch to save the old
fnum and re-use it - I'm not sure that's correct in this case.

Thanks for the fix though !

Jeremy.