[SCM] Samba Shared Repository - branch v3-3-test updated - release-3-2-0pre2-5216-ge2dd445

Thu Apr 16 23:22:14 GMT 2009

The branch, v3-3-test has been updated
       via  e2dd445921b509a2c05646e5aece50243f2b7a5a (commit)
       via  043ade0f4dff788f81e014d3c85217377226899e (commit)
      from  d7b0894c8d025ceda4b7208e134e591bc4953400 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test


- Log -----------------------------------------------------------------
commit e2dd445921b509a2c05646e5aece50243f2b7a5a
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Apr 16 16:21:00 2009 -0700

    Add torture tester to ensure we don't regress the ulogoff bug.
    Jeremy.

commit 043ade0f4dff788f81e014d3c85217377226899e
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Apr 16 16:20:12 2009 -0700

    Fix bug found by Tim Prouty, logging off and then re-using a vuid can cause smbd to
    access a freed structure.
    Jeremy.

-----------------------------------------------------------------------

Summary of changes:
 source/smbd/uid.c        |   11 +++++++++++
 source/torture/torture.c |   45 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+), 0 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/smbd/uid.c b/source/smbd/uid.c
index 02f8cc9..bec820b 100644
--- a/source/smbd/uid.c
+++ b/source/smbd/uid.c
@@ -166,6 +166,10 @@ void conn_clear_vuid_cache(connection_struct *conn, uint16_t vuid)
 
 		if (ent->vuid == vuid) {
 			ent->vuid = UID_FIELD_INVALID;
+			/* Ensure we're not freeing an active pointer. */
+			if (conn->server_info == ent->server_info) {
+				conn->server_info = NULL;
+			}
 			TALLOC_FREE(ent->server_info);
 			ent->read_only = False;
 			ent->admin_user = False;
@@ -218,6 +222,13 @@ bool change_to_user(connection_struct *conn, uint16 vuid)
 
 	server_info = vuser ? vuser->server_info : conn->server_info;
 
+	if (!server_info) {
+		/* Invalid vuid sent - even with security = share. */
+		DEBUG(2,("change_to_user: Invalid vuid %d used on "
+			 "share %s.\n",vuid, lp_servicename(snum) ));
+		return false;
+	}
+
 	if (!check_user_ok(conn, vuid, server_info, snum)) {
 		DEBUG(2,("change_to_user: SMB user %s (unix user %s, vuid %d) "
 			 "not permitted access to share %s.\n",
diff --git a/source/torture/torture.c b/source/torture/torture.c
index 55b7673..d9fc55b 100644
--- a/source/torture/torture.c
+++ b/source/torture/torture.c
@@ -5012,6 +5012,50 @@ static bool subst_test(const char *str, const char *user, const char *domain,
 	return result;
 }
 
+static bool run_uid_regression_test(int dummy)
+{
+	static struct cli_state *cli;
+	int16_t old_vuid;
+	bool correct = True;
+
+	printf("starting uid regression test\n");
+
+	if (!torture_open_connection(&cli, 0)) {
+		return False;
+	}
+
+	cli_sockopt(cli, sockops);
+
+	/* Ok - now save then logoff our current user. */
+	old_vuid = cli->vuid;
+
+	if (!cli_ulogoff(cli)) {
+		d_printf("(%s) cli_ulogoff failed: %s\n",
+			__location__, cli_errstr(cli));
+		correct = false;
+		goto out;
+	}
+
+	cli->vuid = old_vuid;
+
+	/* Try an operation. */
+	if (!cli_mkdir(cli, "\\uid_reg_test")) {
+		/* We expect bad uid. */
+		if (!check_error(__LINE__, cli, ERRSRV, ERRbaduid,
+				NT_STATUS_NO_SUCH_USER)) {
+			return False;
+		}
+		goto out;
+	}
+
+	cli_rmdir(cli, "\\uid_reg_test");
+
+  out:
+
+	torture_close_connection(cli);
+	return correct;
+}
+
 static bool run_local_substitute(int dummy)
 {
 	bool ok = true;
@@ -5528,6 +5572,7 @@ static struct {
 	{"RW3",  run_readwritelarge, 0},
 	{"OPEN", run_opentest, 0},
 	{"POSIX", run_simple_posix_open_test, 0},
+	{ "UID-REGRESSION-TEST", run_uid_regression_test, 0},
 #if 1
 	{"OPENATTR", run_openattrtest, 0},
 #endif


-- 
Samba Shared Repository
