smbd/smb2_ioctl: fail zero length copy chunk requests

As documented in MS-SMB2 3.3.5.15.6 Handling a Server-Side Data Copy
Request, an invalid parameter response should be sent when:

The Length value in a single chunk is greater than
ServerSideCopyMaxChunkSize or *equal to zero*.

We do not currently abide by the latter part of this clause.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10424

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

1 files changed, 16 insertions, 1 deletions

diff --git a/source3/smbd/smb2_ioctl_network_fs.c b/source3/smbd/smb2_ioctl_network_fs.c
index a1d67f80a9..986e97db61 100644
--- a/source3/smbd/smb2_ioctl_network_fs.c
+++ b/source3/smbd/smb2_ioctl_network_fs.c
@@ -46,16 +46,31 @@ static NTSTATUS copychunk_check_limits(struct srv_copychunk_copy *cc_copy)
 	uint32_t i;
 	uint32_t total_len = 0;
 
+	/*
+	 * [MS-SMB2] 3.3.5.15.6 Handling a Server-Side Data Copy Request
+	 * Send and invalid parameter response if:
+	 * - The ChunkCount value is greater than
+	 *   ServerSideCopyMaxNumberofChunks
+	 */
 	if (cc_copy->chunk_count > COPYCHUNK_MAX_CHUNKS) {
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
 	for (i = 0; i < cc_copy->chunk_count; i++) {
-		if (cc_copy->chunks[i].length > COPYCHUNK_MAX_CHUNK_LEN) {
+		/*
+		 * - The Length value in a single chunk is greater than
+		 *   ServerSideCopyMaxChunkSize or equal to zero.
+		 */
+		if ((cc_copy->chunks[i].length == 0)
+		 || (cc_copy->chunks[i].length > COPYCHUNK_MAX_CHUNK_LEN)) {
 			return NT_STATUS_INVALID_PARAMETER;
 		}
 		total_len += cc_copy->chunks[i].length;
 	}
+	/*
+	 * - Sum of Lengths in all chunks is greater than
+	 *   ServerSideCopyMaxDataSize
+	 */
 	if (total_len > COPYCHUNK_MAX_TOTAL_LEN) {
 		return NT_STATUS_INVALID_PARAMETER;
 	}