[SCM] Samba Shared Repository - branch master updated

Volker Lendecke vlendec at samba.org
Sun Nov 5 11:32:02 UTC 2017 

The branch, master has been updated
       via  44c018b s4: torture: Add smb2 FIND_and_set_DOC test case.
       via  c9e996d s3: smbd: Fix delete-on-close after smb2_find
      from  3bb854c vfs_fruit: avoid dereferencing a freed object in an error case

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 44c018bdcc2d81aaf667d11c0c8fae209419ddd7
Author: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
Date:   Fri Oct 27 14:59:32 2017 +0200

    s4: torture: Add smb2 FIND_and_set_DOC test case.
    
    Regression tests doing an SMB2_find followed by
    a set delete on close and then close on a directory.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13118
    
    Signed-off-by: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>
    
    Autobuild-User(master): Volker Lendecke <vl at samba.org>
    Autobuild-Date(master): Sun Nov  5 12:31:12 CET 2017 on sn-devel-144

commit c9e996d78df3ce326a5c13f8f4f1426918769ceb
Author: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
Date:   Fri Nov 3 22:33:28 2017 +0000

    s3: smbd: Fix delete-on-close after smb2_find
    
    Both dptr_create() and can_delete_directory_fsp() are calling OpenDir_fsp()
    to get a directory handle. This causes an issue when delete-on-close is
    set after smb2_find because both directory handle instances share the same
    underlying file descriptor. In addition the SMB_ASSERT() in destructor
    smb_Dir_destructor() gets triggered.
    
    To avoid this use OpenDir() instead of OpenDir_fsp().
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13118
    
    Signed-off-by: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/dir.c                     |  4 +--
 source4/torture/smb2/delete-on-close.c | 66 ++++++++++++++++++++++++++++++++++
 2 files changed, 68 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
index cb54be4..19e2964 100644
--- a/source3/smbd/dir.c
+++ b/source3/smbd/dir.c
@@ -2128,9 +2128,9 @@ NTSTATUS can_delete_directory_fsp(files_struct *fsp)
 	char *talloced = NULL;
 	SMB_STRUCT_STAT st;
 	struct connection_struct *conn = fsp->conn;
-	struct smb_Dir *dir_hnd = OpenDir_fsp(talloc_tos(),
+	struct smb_Dir *dir_hnd = OpenDir(talloc_tos(),
 					conn,
-					fsp,
+					fsp->fsp_name,
 					NULL,
 					0);
 
diff --git a/source4/torture/smb2/delete-on-close.c b/source4/torture/smb2/delete-on-close.c
index 44ef33e..2312df2 100644
--- a/source4/torture/smb2/delete-on-close.c
+++ b/source4/torture/smb2/delete-on-close.c
@@ -516,6 +516,71 @@ static bool test_doc_create_if_exist(struct torture_context *tctx, struct smb2_t
 	return true;
 }
 
+static bool test_doc_find_and_set_doc(struct torture_context *tctx, struct smb2_tree *tree)
+{
+	struct smb2_create io;
+	struct smb2_find find;
+	NTSTATUS status;
+	union smb_search_data *d;
+	union smb_setfileinfo sfinfo;
+	unsigned int count;
+	uint32_t perms = 0;
+
+	perms = SEC_STD_SYNCHRONIZE | SEC_STD_READ_CONTROL | SEC_STD_DELETE |
+		SEC_DIR_WRITE_ATTRIBUTE | SEC_DIR_READ_ATTRIBUTE |
+		SEC_DIR_WRITE_EA | SEC_FILE_APPEND_DATA |
+		SEC_FILE_WRITE_DATA | SEC_DIR_LIST;
+
+	/* File should not exist for this first test, so make sure */
+	set_dir_delete_perms(tctx, tree);
+
+	smb2_deltree(tree, DNAME);
+
+	create_dir(tctx, tree);
+
+	torture_comment(tctx, "FIND and delete directory\n");
+	torture_comment(tctx, "We expect NT_STATUS_OK\n");
+
+	/* open the directory first */
+	ZERO_STRUCT(io);
+	io.in.desired_access	 = perms;
+	io.in.file_attributes	 = FILE_ATTRIBUTE_DIRECTORY;
+	io.in.create_disposition = NTCREATEX_DISP_OPEN_IF;
+	io.in.share_access	 = NTCREATEX_SHARE_ACCESS_READ |
+				   NTCREATEX_SHARE_ACCESS_DELETE;
+	io.in.create_options     = NTCREATEX_OPTIONS_DIRECTORY;
+	io.in.fname              = DNAME;
+
+	status = smb2_create(tree, tctx, &io);
+	CHECK_STATUS(status, NT_STATUS_OK);
+
+	/* list directory */
+	ZERO_STRUCT(find);
+	find.in.file.handle        = io.out.file.handle;
+	find.in.pattern            = "*";
+	find.in.continue_flags     = SMB2_CONTINUE_FLAG_SINGLE;
+	find.in.max_response_size  = 0x100;
+	find.in.level              = SMB2_FIND_BOTH_DIRECTORY_INFO;
+
+	/* start enumeration on directory */
+	status = smb2_find_level(tree, tree, &find, &count, &d);
+	CHECK_STATUS(status, NT_STATUS_OK);
+
+	/* set delete-on-close */
+	ZERO_STRUCT(sfinfo);
+	sfinfo.generic.level = RAW_SFILEINFO_DISPOSITION_INFORMATION;
+	sfinfo.disposition_info.in.delete_on_close = 1;
+	sfinfo.generic.in.file.handle = io.out.file.handle;
+	status = smb2_setinfo_file(tree, &sfinfo);
+	CHECK_STATUS(status, NT_STATUS_OK);
+
+	/* close directory */
+	status = smb2_util_close(tree, io.out.file.handle);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	return true;
+}
+
+
 /*
  *  Extreme testing of Delete On Close and permissions
  */
@@ -529,6 +594,7 @@ struct torture_suite *torture_smb2_doc_init(TALLOC_CTX *ctx)
 	torture_suite_add_1smb2_test(suite, "CREATE Existing", test_doc_create_exist);
 	torture_suite_add_1smb2_test(suite, "CREATE_IF", test_doc_create_if);
 	torture_suite_add_1smb2_test(suite, "CREATE_IF Existing", test_doc_create_if_exist);
+	torture_suite_add_1smb2_test(suite, "FIND_and_set_DOC", test_doc_find_and_set_doc);
 
 	suite->description = talloc_strdup(suite, "SMB2-Delete-on-Close-Perms tests");
 


-- 
Samba Shared Repository

More information about the samba-cvs mailing list