11023 SMB server min_protocol setting

Reviewed by: Gordon Ross <gordon.ross@nexenta.com> Reviewed by: Evan Layton <evan.layton@nexenta.com> Approved by: Garrett D'Amore <garrett@damore.org>
author: Matt Barden <matt.barden@nexenta.com> 2017-04-18 08:42:45 -0400
committer: Gordon Ross <gwr@nexenta.com> 2019-08-10 10:04:10 -0400
commit: 3e2c0c0978d26f8b8020b49760008c6bb6e59221 (patch)
tree: 248bc80c9af58bb9dcdfaf775cffadfa78e6e3d5 /usr/src/uts/common/fs
parent: 11eb14c0b4910a2d5a319fe0b5bf5c633fbfbfa6 (diff)
download: illumos-gate-3e2c0c0978d26f8b8020b49760008c6bb6e59221.tar.gz
3 files changed, 33 insertions, 7 deletions
diff --git a/usr/src/uts/common/fs/smbsrv/smb2_negotiate.c b/usr/src/uts/common/fs/smbsrv/smb2_negotiate.c
index c534ebe7fb..cbdd5f9fb5 100644
--- a/usr/src/uts/common/fs/smbsrv/smb2_negotiate.c
+++ b/usr/src/uts/common/fs/smbsrv/smb2_negotiate.c
@@ -63,8 +63,8 @@ uint32_t smb2_old_rwsize = (1<<16);	/* 64KB */
 
 /*
  * List of all SMB2 versions we implement.  Note that the
- * highest version we support may be limited by the
- * _cfg.skc_max_protocol setting.
+ * versions we support may be limited by the
+ * _cfg.skc_max_protocol and min_protocol settings.
  */
 static uint16_t smb2_versions[] = {
 	0x202,	/* SMB 2.002 */
@@ -79,7 +79,8 @@ smb2_supported_version(smb_session_t *s, uint16_t version)
 {
 	int i;
 
-	if (version > s->s_cfg.skc_max_protocol)
+	if (version > s->s_cfg.skc_max_protocol ||
+	    version < s->s_cfg.skc_min_protocol)
 		return (B_FALSE);
 	for (i = 0; i < smb2_nversions; i++)
 		if (version == smb2_versions[i])
@@ -119,7 +120,7 @@ smb1_negotiate_smb2(smb_request_t *sr)
 	 */
 	switch (negprot->ni_dialect) {
 	case DIALECT_SMB2002:	/* SMB 2.002 (a.k.a. SMB2.0) */
-		smb2_version = 0x202;
+		smb2_version = SMB_VERS_2_002;
 		s->dialect = smb2_version;
 		s->s_state = SMB_SESSION_STATE_NEGOTIATED;
 		/* Allow normal SMB2 requests now. */
@@ -254,8 +255,13 @@ smb2_newrq_negotiate(smb_request_t *sr)
 	 * We walk the array and pick the highest supported.
 	 */
 	best_version = smb2_find_best_dialect(s, cl_versions, version_cnt);
-	if (best_version == 0)
-		return (SDRC_DROP_VC);
+	if (best_version == 0) {
+		cmn_err(CE_NOTE, "clnt %s no supported dialect",
+		    sr->session->ip_addr_str);
+		sr->smb2_status = NT_STATUS_INVALID_PARAMETER;
+		rc = -1;
+		goto errout;
+	}
 	s->dialect = best_version;
 
 	/* Allow normal SMB2 requests now. */
@@ -264,6 +270,7 @@ smb2_newrq_negotiate(smb_request_t *sr)
 
 	rc = smb2_negotiate_common(sr, best_version);
 
+errout:
 	/* sr->smb2_status was set */
 	DTRACE_SMB2_DONE(op__Negotiate, smb_request_t *, sr);
 
diff --git a/usr/src/uts/common/fs/smbsrv/smb_negotiate.c b/usr/src/uts/common/fs/smbsrv/smb_negotiate.c
index 265bc227e3..7de84e5f05 100644
--- a/usr/src/uts/common/fs/smbsrv/smb_negotiate.c
+++ b/usr/src/uts/common/fs/smbsrv/smb_negotiate.c
@@ -379,6 +379,17 @@ smb_pre_negotiate(smb_request_t *sr)
 		    skc->skc_max_protocol < SMB_VERS_2_BASE)
 			continue;
 
+		/*
+		 * We may not support SMB1; skip those dialects if true.
+		 */
+		if (dialect < DIALECT_SMB2002 &&
+		    skc->skc_min_protocol > SMB_VERS_1)
+			continue;
+
+		if (dialect == DIALECT_SMB2002 &&
+		    skc->skc_min_protocol > SMB_VERS_2_002)
+			continue;
+
 		if (negprot->ni_dialect < dialect) {
 			negprot->ni_dialect = dialect;
 			negprot->ni_index = pos;
@@ -419,6 +430,13 @@ smb_com_negotiate(smb_request_t *sr)
 		return (SDRC_ERROR);
 	}
 
+	if (negprot->ni_index < 0) {
+		cmn_err(CE_NOTE, "clnt %s no supported dialect",
+		    sr->session->ip_addr_str);
+		smbsr_error(sr, 0, ERRSRV, ERRerror);
+		return (SDRC_DROP_VC);
+	}
+
 	/*
 	 * Special case for negotiating SMB2 from SMB1.  The client
 	 * includes the  "SMB 2..." dialects in the SMB1 negotiate,
diff --git a/usr/src/uts/common/fs/smbsrv/smb_server.c b/usr/src/uts/common/fs/smbsrv/smb_server.c
index a0ed95d595..0291cacc1c 100644
--- a/usr/src/uts/common/fs/smbsrv/smb_server.c
+++ b/usr/src/uts/common/fs/smbsrv/smb_server.c
@@ -20,7 +20,7 @@
  */
 /*
  * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
- * Copyright 2016 Nexenta Systems, Inc.  All rights reserved.
+ * Copyright 2017 Nexenta Systems, Inc.  All rights reserved.
  * Copyright (c) 2017 by Delphix. All rights reserved.
  */
 
@@ -2051,6 +2051,7 @@ smb_server_store_cfg(smb_server_t *sv, smb_ioc_cfg_t *ioc)
 	sv->sv_cfg.skc_print_enable = ioc->print_enable;
 	sv->sv_cfg.skc_traverse_mounts = ioc->traverse_mounts;
 	sv->sv_cfg.skc_max_protocol = ioc->max_protocol;
+	sv->sv_cfg.skc_min_protocol = ioc->min_protocol;
 	sv->sv_cfg.skc_encrypt = ioc->encrypt;
 	sv->sv_cfg.skc_execflags = ioc->exec_flags;
 	sv->sv_cfg.skc_negtok_len = ioc->negtok_len;
author	Matt Barden <matt.barden@nexenta.com>	2017-04-18 08:42:45 -0400
committer	Gordon Ross <gwr@nexenta.com>	2019-08-10 10:04:10 -0400
commit	3e2c0c0978d26f8b8020b49760008c6bb6e59221 (patch)
tree	248bc80c9af58bb9dcdfaf775cffadfa78e6e3d5 /usr/src/uts/common/fs
parent	11eb14c0b4910a2d5a319fe0b5bf5c633fbfbfa6 (diff)
download	illumos-gate-3e2c0c0978d26f8b8020b49760008c6bb6e59221.tar.gz