Hi,
I've found a problem with samba when printing from a client running win95
+ DFS. The print fails with a segmentation fault. The problem is that
Win95 does not return the proper file_fsp( smb_vwv0) when doing an IOCTL
request.This causes the file_fsp call in reply_ioctl (smbd/reply.c) to
fail cause a segmentation fault.
I do not understand how samba work, but here is my working patch for this. I
just copied the fid from the last open_And_X call and write it into inbuf
if the file_fsp is different.
Attached here is the diff. The patch is only on
/smbd/reply.c
Thank you.
Iskantharajah T
-------------- next part --------------
--- ./reply.c Mon Apr 7 09:54:00 2003
+++ reply.c.new Fri Sep 5 19:38:51 2003
@@ -45,6 +45,10 @@
Report a possible attack via the password buffer overflow bug.
****************************************************************************/
+/*iskantha Problem with win95 + DFS*/
+static int hack_fid;
+
+
static void overflow_attack(int len)
{
if( DEBUGLVL( 0 ) ) {
@@ -429,8 +433,26 @@
uint32 ioctl_code = (device << 16) + function;
int replysize, outsize;
char *p;
+ int temp = 0;
files_struct *fsp = file_fsp(inbuf,smb_vwv0);
- START_PROFILE(SMBioctl);
+ int fid = SVAL(inbuf,smb_vwv0);
+
+ DEBUG ( 4, ( " smbvwv0 before = %i ( 0x%x )\n", fid, fid));
+ /* hack for Win95 + dfs . Does not give proper value of fid in request
+ Value taken from last open_and_X */
+ if ( fid != hack_fid ) {
+ SSVAL(inbuf, smb_vwv0, hack_fid );
+ fsp = file_fsp(inbuf,smb_vwv0);
+ };
+ fid = SVAL(inbuf,smb_vwv0);
+ DEBUG ( 4, ( " smbvwv0 after = %i ( 0x%x )\n", fid, fid));
+
+ /* iskantha - hack fid */
+ if ( fsp == NULL ) {
+ DEBUG( 0, ("FSP still null"));
+ };
+
+ START_PROFILE(SMBioctl);
DEBUG(4, ("Received IOCTL (code 0x%x)\n", ioctl_code));
@@ -453,7 +475,10 @@
switch (ioctl_code)
{
case IOCTL_QUERY_JOB_INFO:
- SSVAL(p,0,fsp->print_jobid); /* Job number */
+ if ( fsp != NULL )
+ SSVAL(p,0,fsp->print_jobid); /* Job number */
+ else
+ SSVAL(p,0,temp);
StrnCpy(p+2, global_myname, 15); /* Our NetBIOS name */
StrnCpy(p+18, lp_servicename(SNUM(conn)), 13); /* Service name */
break;
@@ -1782,6 +1807,11 @@
SSVAL(outbuf,smb_vwv11,smb_action);
END_PROFILE(SMBopenX);
+ /* iskantha : attach hack_fid to last fnum */
+ hack_fid = fsp->fnum;
+ DEBUG(4,("open_and_X connect: FID = %d ( %x ) hack_fid = %d \n",
+ fsp->fnum, fsp->fnum , hack_fid ));
+
return chain_reply(inbuf,outbuf,length,bufsize);
}