[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Tue May 12 21:33:03 UTC 2020
The branch, master has been updated
via 393da520e43 s3: libsmbclient: Finish unifing bad iconv behavior across CORE NT1 SMB2 protocols.
via 753115a8d19 s3: libsmb: In SMB2 return NT_STATUS_INVALID_NETWORK_RESPONSE if name conversion ended up with a NULL filename.
via b10de0bb64f s3: libsmb: In SMB1 old protocol - return NT_STATUS_INVALID_NETWORK_RESPONSE if name conversion ended up with a NULL filename.
via e016671d34c s3: selftest: Add test_smbclient_iconv.sh to check client behavior on bad name conversion.
via a9651d6bc2b s3: selftest: Add share definition [bad_iconv] in fileserver.
via 0f01b10679c vfs_io_uring: retry after a short writes in vfs_io_uring_pwrite_completion()
via 42e77c4cf24 vfs_io_uring: retry after a short read in vfs_io_uring_pread_completion()
via c57a731c4ce vfs_io_uring: protect vfs_io_uring_fsync_completion() against invalid results
via 283f9687223 vfs_io_uring: protect vfs_io_uring_pwrite_completion() against invalid results
via f085dbf8b2b vfs_io_uring: protect vfs_io_uring_pread_completion() against invalid results
via 2f6abb00b0d vfs_io_uring: split out a vfs_io_uring_pwrite_submit() function
via 9de4f8be1dc vfs_io_uring: split out a vfs_io_uring_pread_submit() function
via ab89b8e7535 vfs_io_uring: split out a vfs_io_uring_request_submit() function
via f96f45c9ba8 vfs_io_uring: avoid stack recursion of vfs_io_uring_queue_run()
via 388bc2e6e44 vfs_io_uring: make use of sys_valid_io_range() in vfs_io_uring_pwrite_send()
via 5005ae3fb24 vfs_io_uring: make use of sys_valid_io_range() in vfs_io_uring_pread_send()
via 40be2232a44 vfs_io_uring: move error handling out of vfs_io_uring_fsync_recv()
via a51969b8c7e vfs_io_uring: move error handling out of vfs_io_uring_pwrite_recv()
via a1487067a6c vfs_io_uring: move error handling out of vfs_io_uring_pread_recv()
via 456533c9cfc vfs_io_uring: introduce vfs_io_uring_request->completion_fn()
via f78e98e0226 vfs_io_uring: replace vfs_io_uring_request->state with _tevent_req_data()
via fadc7043a71 vfs_io_uring: fix the prefix for parametric options from 'vfs_io_uring' to 'io_uring'
via 801c06f4c94 s3: VFS: default. Change pwrite() -> sys_pwrite_full() in SMB_VFS_PWRITE_SEND() to protect against short writes.
via bf2e546be38 s3: VFS: default. Change pread() -> sys_pread_full() in SMB_VFS_PREAD_SEND() to protect against short reads.
via ca8c3619f65 s3: VFS: default. Change sys_pwrite() -> sys_pwrite_full() in SMB_VFS_PWRITE() to protect against short writes.
via 7daa79908b6 s3: VFS: default. Change sys_pread() -> sys_pread_full() in SMB_VFS_PREAD() to protect against short reads.
via 20ee8b03bbe s3: VFS: aio_fork: Change sys_pwrite() -> sys_pwrite_full() to protect against short writes.
via 60f590000d5 s3: VFS: aio_fork: Change sys_pread() -> sys_pread_full() to protect against short reads.
via 6fa753a1a67 smbd: add vfs_valid_{pread,pwrite}_range() checks where needed
via 70fa4b884d2 s3:smbd: add vfs_valid_{pread,pwrite}_range() helper functions
via ba68f21286c s3:smbd: handle 0 length writes as no-op.
via a6eee38ba2f smb2_server: fix smbd_smb2_request_verify_sizes() for SMB2_OP_WRITE
via 3ba7a89cea8 lib: util: Add sys_pwrite_full().
via 36af33bf9fc lib: util: Add sys_pread_full().
via e02cbd5c3ea lib: util: Add sys_valid_io_range()
via 54de0e4a3e4 s4:torture: add tests to test the SMB2 read/write offset/length boundaries
from bf04ca5658d s3/locking: prime flags in a fresh sharemode data object
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 393da520e43bd3a28feb231bcd9fd5308a3daa4a
Author: Jeremy Allison <jra at samba.org>
Date: Mon May 11 15:58:27 2020 -0700
s3: libsmbclient: Finish unifing bad iconv behavior across CORE NT1 SMB2 protocols.
On bad name conversion, exit the directory listing with an error, but leave the
connection intact. We were already checking for finfo->name == NULL here,
but were ignoring it and not reporting an error.
Remove the knownfail.d/bad_iconv file as we now
behave the same across CORE/NT1/SMB2.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14374
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue May 12 21:32:44 UTC 2020 on sn-devel-184
commit 753115a8d19f6ac8cd28305748fc6d888679dccc
Author: Jeremy Allison <jra at samba.org>
Date: Mon May 11 12:23:49 2020 -0700
s3: libsmb: In SMB2 return NT_STATUS_INVALID_NETWORK_RESPONSE if name conversion ended up with a NULL filename.
Can happen if namelen == 0.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14374
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit b10de0bb64fe022e6b066584013dfb0bdf2ade96
Author: Jeremy Allison <jra at samba.org>
Date: Mon May 11 12:34:10 2020 -0700
s3: libsmb: In SMB1 old protocol - return NT_STATUS_INVALID_NETWORK_RESPONSE if name conversion ended up with a NULL filename.
Can happen if namelen == 0.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14374
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit e016671d34c24c4768df774425ec743b88e30015
Author: Jeremy Allison <jra at samba.org>
Date: Mon May 11 15:37:00 2020 -0700
s3: selftest: Add test_smbclient_iconv.sh to check client behavior on bad name conversion.
SMB2 and NT1 fail this, CORE already returns NT_STATUS_INVALID_NETWORK_RESPONSE
on bad conversion.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14374
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a9651d6bc2b6dea8adc859ce21c2431253868887
Author: Jeremy Allison <jra at samba.org>
Date: Mon May 11 14:10:54 2020 -0700
s3: selftest: Add share definition [bad_iconv] in fileserver.
Creates a utf8 valid filename within that is invalid in CP850.
Useful to test smbclient list directory character set conversions.
https://bugzilla.samba.org/show_bug.cgi?id=14374
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 0f01b10679c06dbd28da72ca6c6280ddf81672ba
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 8 13:30:17 2020 +0200
vfs_io_uring: retry after a short writes in vfs_io_uring_pwrite_completion()
We need to be prepared for short writes from the kernel depending on
the state of the page cache.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 42e77c4cf245d8420641d216d1abefe81f7a3b79
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 8 13:30:17 2020 +0200
vfs_io_uring: retry after a short read in vfs_io_uring_pread_completion()
We need to be prepared for short reads from the kernel depending on
the state of the page cache. Windows and Mac clients don't
expect short reads for files, so we need to retry ourself.
For the future we may be able to play with some io_uring flags
in order to avoid the retries in userspace, but for now we just fix
the data corruption bug...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit c57a731c4ce395fd710f0b066cd6f1b72223ae07
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 8 11:38:56 2020 +0200
vfs_io_uring: protect vfs_io_uring_fsync_completion() against invalid results
We should never get back a value > 0.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 283f96872237517f0b3bc4e63e8d3c482ecd5fa4
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 8 11:38:56 2020 +0200
vfs_io_uring: protect vfs_io_uring_pwrite_completion() against invalid results
We should never get more acked than we asked for.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit f085dbf8b2bed2695e0065a5bf4523232cb532c7
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 8 11:38:56 2020 +0200
vfs_io_uring: protect vfs_io_uring_pread_completion() against invalid results
We should never get back more than we asked for.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 2f6abb00b0daeb4de9ad0aea1b5c56559391aef9
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 8 11:17:51 2020 +0200
vfs_io_uring: split out a vfs_io_uring_pwrite_submit() function
This can be reused when we add handling for short writes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 9de4f8be1dc8b4274891016191a5ca1f724e08b3
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 8 11:17:51 2020 +0200
vfs_io_uring: split out a vfs_io_uring_pread_submit() function
This can be reused when we add handling for short reads.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit ab89b8e75354c5fd571985e924e1ccbec99de990
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 8 11:17:51 2020 +0200
vfs_io_uring: split out a vfs_io_uring_request_submit() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit f96f45c9ba8d4c8fa4026c22ac4201d66335e5c4
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 8 21:29:53 2020 +0200
vfs_io_uring: avoid stack recursion of vfs_io_uring_queue_run()
Instead we remember if recursion was triggered and jump to
the start of the function again from the end.
This should make it safe to be called from the completion_fn().
This is hideously complex stuff, so document the hell
out of it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 388bc2e6e44470ea4043ecb22750e241145355d2
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 8 13:17:05 2020 +0200
vfs_io_uring: make use of sys_valid_io_range() in vfs_io_uring_pwrite_send()
This makes the follow up commits easier as we don't have to care
about overflows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 5005ae3fb24018e370ae60cc23c5e9cfe8357bc9
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 8 13:17:05 2020 +0200
vfs_io_uring: make use of sys_valid_io_range() in vfs_io_uring_pread_send()
This makes the follow up commits easier as we don't have to care
about overflows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 40be2232a44a86cb5dfdda330801e615826408ba
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 8 10:52:52 2020 +0200
vfs_io_uring: move error handling out of vfs_io_uring_fsync_recv()
We should do that as early as possible and that's in
vfs_io_uring_fsync_completion().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit a51969b8c7e6e49c0d3b776d897aea4f309f8678
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 8 10:52:52 2020 +0200
vfs_io_uring: move error handling out of vfs_io_uring_pwrite_recv()
We should do that as early as possible and that's in
vfs_io_uring_pwrite_completion().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit a1487067a6c9df3136fd5d4d16dda4c0f63cb662
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 8 10:52:52 2020 +0200
vfs_io_uring: move error handling out of vfs_io_uring_pread_recv()
We should do that as early as possible and that's in
vfs_io_uring_pread_completion().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 456533c9cfc332d3a83ea03a6f969b0d64ccbeb6
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 8 10:42:59 2020 +0200
vfs_io_uring: introduce vfs_io_uring_request->completion_fn()
We'll need to add more logic than a simple _tevent_req_done()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit f78e98e0226fe70899b613e0aa5c804d8458bdb0
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 8 10:39:52 2020 +0200
vfs_io_uring: replace vfs_io_uring_request->state with _tevent_req_data()
We don't need a direct pointer to the state...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit fadc7043a71b409ad60a1a4076a7f88f379d2056
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 6 03:05:47 2020 -0700
vfs_io_uring: fix the prefix for parametric options from 'vfs_io_uring' to 'io_uring'
This is what the manpage describes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 801c06f4c9400343b72cad998086288931f7c6b3
Author: Jeremy Allison <jra at samba.org>
Date: Thu May 7 12:48:49 2020 -0700
s3: VFS: default. Change pwrite() -> sys_pwrite_full() in SMB_VFS_PWRITE_SEND() to protect against short writes.
Note that as sys_pwrite_full() deals with the EINTR case
we can remove the do {} while loop here.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit bf2e546be38abfc77cf40e0b0fef42937696dcde
Author: Jeremy Allison <jra at samba.org>
Date: Thu May 7 12:45:10 2020 -0700
s3: VFS: default. Change pread() -> sys_pread_full() in SMB_VFS_PREAD_SEND() to protect against short reads.
Note that as sys_pread_full() deals with the EINTR case
we can remove the do {} while loop here.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit ca8c3619f657dc38db7cb248f1a657f5bfe20757
Author: Jeremy Allison <jra at samba.org>
Date: Thu May 7 12:44:26 2020 -0700
s3: VFS: default. Change sys_pwrite() -> sys_pwrite_full() in SMB_VFS_PWRITE() to protect against short writes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 7daa79908b6a0362db30276b3b6f0db176b6ae3c
Author: Jeremy Allison <jra at samba.org>
Date: Thu May 7 12:43:34 2020 -0700
s3: VFS: default. Change sys_pread() -> sys_pread_full() in SMB_VFS_PREAD() to protect against short reads.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 20ee8b03bbe5bef4ea968170808e3c4c9d22318e
Author: Jeremy Allison <jra at samba.org>
Date: Thu May 7 12:42:53 2020 -0700
s3: VFS: aio_fork: Change sys_pwrite() -> sys_pwrite_full() to protect against short writes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 60f590000d545292760018694deb34a7cc4ded6d
Author: Jeremy Allison <jra at samba.org>
Date: Thu May 7 12:42:10 2020 -0700
s3: VFS: aio_fork: Change sys_pread() -> sys_pread_full() to protect against short reads.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 6fa753a1a67d563cd22d0cad73ae15ee267512fc
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 11 18:18:24 2020 +0200
smbd: add vfs_valid_{pread,pwrite}_range() checks where needed
I checked all callers of SMB_VFS_PWRITE[_SEND](),
all callers of SMB_VFS_PREAD[_SEND]() and also
places where we append to the file and allocate
more space.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 70fa4b884d2c22669984c25fe757c2fc528f7331
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 11 22:00:37 2020 +0200
s3:smbd: add vfs_valid_{pread,pwrite}_range() helper functions
These implement the SMB2 visible behavior of the [MS-FSA]
2.1.5.2 Server Requests a Read and 2.1.5.3 Server Requests a Write
constraints. Note that offset < 0 is not allowed over SMB.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit ba68f21286c2c2f1fef8bf8c9cd500a622077887
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 11 18:18:24 2020 +0200
s3:smbd: handle 0 length writes as no-op.
They should never touch the SMB_VFS layer
and they never trigger an DISK_FULL error.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit a6eee38ba2f89280676f0a32d26745afd95b551c
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 11 18:18:24 2020 +0200
smb2_server: fix smbd_smb2_request_verify_sizes() for SMB2_OP_WRITE
Writes with a length of 0 are allowed.
The readfile related check we had before was not really useful
as min_dyn_len can only every be 0 or 1 (and for SMB2_OP_WRITE it's
always 1). So we checked
if (unread_bytes > 0) {
if (unread_bytes < 1) {
return error;
}
}
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 3ba7a89cea85d134eacf1e624e011fe6f66146fc
Author: Jeremy Allison <jra at samba.org>
Date: Thu May 7 12:34:32 2020 -0700
lib: util: Add sys_pwrite_full().
A pwrite wrapper that will deal with EINTR and never return a short
write unless the file system returns an error. Copes with the
unspecified edge condition of pwrite returning zero by changing
the return to -1, errno = ENOSPC.
Thread-safe so may be used as a replacement for pwrite
inside pwrite_do() thread functions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Jeremy Allison <jra at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 36af33bf9fcdf93fce5ef1520fcb7ddbb07b355e
Author: Jeremy Allison <jra at samba.org>
Date: Thu May 7 12:32:48 2020 -0700
lib: util: Add sys_pread_full().
A pread wrapper that will deal with EINTR and never return a short
read unless pread returns zero meaning EOF.
Thread-safe so may be used as a replacement for pread
inside pread_do() thread functions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Jeremy Allison <jra at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit e02cbd5c3ea6903d2b7b43c3193b8662d029ecdd
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 8 13:06:54 2020 +0200
lib: util: Add sys_valid_io_range()
This implements the contraints of
[MS-FSA] 2.1.5.2 Server Requests a Read.
The special handling of [MS-FSA] 2.1.5.3 Server Requests a Write
with offset < 0, should be handled by higher layers!
Which means the check can also be used for writes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 54de0e4a3e46a53db5262963e64b109c567554a1
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 11 12:37:41 2020 +0200
s4:torture: add tests to test the SMB2 read/write offset/length boundaries
[MS-FSA] 2.1.5.2 Server Requests a Read and
2.1.5.3 Server Requests a Write define some contraints.
These tests demonstrate that ((int64_t)offset) < 0) is
not allowed for both reads and writes for SMB.
Also the special case for writes at offset -2 is not possible
nor the append mode with offset < 0.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/util/sys_rw.c | 121 +++++++++
lib/util/sys_rw.h | 3 +
selftest/knownfail.d/rw-invalid | 1 +
selftest/target/Samba3.pm | 13 +
source3/libsmb/cli_smb2_fnum.c | 6 +
source3/libsmb/clilist.c | 10 +-
source3/modules/vfs_aio_fork.c | 4 +-
source3/modules/vfs_default.c | 27 +-
source3/modules/vfs_io_uring.c | 377 ++++++++++++++++++++++-----
source3/script/tests/test_smbclient_iconv.sh | 53 ++++
source3/selftest/tests.py | 9 +
source3/smbd/aio.c | 24 ++
source3/smbd/fileio.c | 18 ++
source3/smbd/proto.h | 2 +
source3/smbd/smb2_server.c | 10 +-
source3/smbd/vfs.c | 66 ++++-
source4/torture/smb2/read_write.c | 189 ++++++++++++++
17 files changed, 849 insertions(+), 84 deletions(-)
create mode 100644 selftest/knownfail.d/rw-invalid
create mode 100755 source3/script/tests/test_smbclient_iconv.sh
Changeset truncated at 500 lines:
diff --git a/lib/util/sys_rw.c b/lib/util/sys_rw.c
index 9a6cdcaa606..d74395fc409 100644
--- a/lib/util/sys_rw.c
+++ b/lib/util/sys_rw.c
@@ -24,6 +24,30 @@
#include "system/filesys.h"
#include "lib/util/sys_rw.h"
+bool sys_valid_io_range(off_t offset, size_t length)
+{
+ uint64_t last_byte_ofs;
+
+ if (offset < 0) {
+ return false;
+ }
+
+ if (offset > INT64_MAX) {
+ return false;
+ }
+
+ if (length > UINT32_MAX) {
+ return false;
+ }
+
+ last_byte_ofs = (uint64_t)offset + (uint64_t)length;
+ if (last_byte_ofs > INT64_MAX) {
+ return false;
+ }
+
+ return true;
+}
+
/*******************************************************************
A read wrapper that will deal with EINTR/EWOULDBLOCK
********************************************************************/
@@ -119,6 +143,54 @@ ssize_t sys_pread(int fd, void *buf, size_t count, off_t off)
return ret;
}
+/*******************************************************************
+ A pread wrapper that will deal with EINTR and never return a short
+ read unless pread returns zero meaning EOF.
+********************************************************************/
+
+ssize_t sys_pread_full(int fd, void *buf, size_t count, off_t off)
+{
+ ssize_t total_read = 0;
+ uint8_t *curr_buf = (uint8_t *)buf;
+ size_t curr_count = count;
+ off_t curr_off = off;
+ bool ok;
+
+ ok = sys_valid_io_range(off, count);
+ if (!ok) {
+ errno = EINVAL;
+ return -1;
+ }
+
+ while (curr_count != 0) {
+ ssize_t ret = sys_pread(fd,
+ curr_buf,
+ curr_count,
+ curr_off);
+
+ if (ret == -1) {
+ return -1;
+ }
+ if (ret == 0) {
+ /* EOF */
+ break;
+ }
+
+ if (ret > curr_count) {
+ errno = EIO;
+ return -1;
+ }
+
+ curr_buf += ret;
+ curr_count -= ret;
+ curr_off += ret;
+
+ total_read += ret;
+ }
+
+ return total_read;
+}
+
/*******************************************************************
A write wrapper that will deal with EINTR
********************************************************************/
@@ -132,3 +204,52 @@ ssize_t sys_pwrite(int fd, const void *buf, size_t count, off_t off)
} while (ret == -1 && errno == EINTR);
return ret;
}
+
+/*******************************************************************
+ A pwrite wrapper that will deal with EINTR and never allow a short
+ write unless the file system returns an error.
+********************************************************************/
+
+ssize_t sys_pwrite_full(int fd, const void *buf, size_t count, off_t off)
+{
+ ssize_t total_written = 0;
+ const uint8_t *curr_buf = (const uint8_t *)buf;
+ size_t curr_count = count;
+ off_t curr_off = off;
+ bool ok;
+
+ ok = sys_valid_io_range(off, count);
+ if (!ok) {
+ errno = EINVAL;
+ return -1;
+ }
+
+ while (curr_count != 0) {
+ ssize_t ret = sys_pwrite(fd,
+ curr_buf,
+ curr_count,
+ curr_off);
+
+ if (ret == -1) {
+ return -1;
+ }
+ if (ret == 0) {
+ /* Ensure we can never spin. */
+ errno = ENOSPC;
+ return -1;
+ }
+
+ if (ret > curr_count) {
+ errno = EIO;
+ return -1;
+ }
+
+ curr_buf += ret;
+ curr_count -= ret;
+ curr_off += ret;
+
+ total_written += ret;
+ }
+
+ return total_written;
+}
diff --git a/lib/util/sys_rw.h b/lib/util/sys_rw.h
index ab456d87b22..b224ecb30ac 100644
--- a/lib/util/sys_rw.h
+++ b/lib/util/sys_rw.h
@@ -27,12 +27,15 @@
struct iovec;
+bool sys_valid_io_range(off_t offset, size_t length);
ssize_t sys_read(int fd, void *buf, size_t count);
void sys_read_v(int fd, void *buf, size_t count);
ssize_t sys_write(int fd, const void *buf, size_t count);
void sys_write_v(int fd, const void *buf, size_t count);
ssize_t sys_writev(int fd, const struct iovec *iov, int iovcnt);
ssize_t sys_pread(int fd, void *buf, size_t count, off_t off);
+ssize_t sys_pread_full(int fd, void *buf, size_t count, off_t off);
ssize_t sys_pwrite(int fd, const void *buf, size_t count, off_t off);
+ssize_t sys_pwrite_full(int fd, const void *buf, size_t count, off_t off);
#endif
diff --git a/selftest/knownfail.d/rw-invalid b/selftest/knownfail.d/rw-invalid
new file mode 100644
index 00000000000..ac5fe573239
--- /dev/null
+++ b/selftest/knownfail.d/rw-invalid
@@ -0,0 +1 @@
+samba4.smb2.rw.invalid.ad_dc_ntvfs
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 083846c87b6..e988ef7210b 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1287,6 +1287,9 @@ sub setup_fileserver
my $dropbox_sharedir="$share_dir/dropbox";
push(@dirs,$dropbox_sharedir);
+ my $bad_iconv_sharedir="$share_dir/bad_iconv";
+ push(@dirs, $bad_iconv_sharedir);
+
my $ip4 = Samba::get_ipv4_addr("FILESERVER");
my $fileserver_options = "
kernel change notify = yes
@@ -1382,6 +1385,11 @@ sub setup_fileserver
writeable = yes
vfs objects =
+[bad_iconv]
+ path = $bad_iconv_sharedir
+ comment = smb username is [%U]
+ vfs objects =
+
[homes]
comment = Home directories
browseable = No
@@ -1454,6 +1462,11 @@ sub setup_fileserver
##
create_file_chmod("$valid_users_sharedir/foo", 0644) or return undef;
+ ##
+ ## create a valid utf8 filename which is invalid as a CP850 conversion
+ ##
+ create_file_chmod("$bad_iconv_sharedir/\xED\x9F\xBF", 0644) or return undef;
+
return $vars;
}
diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
index d29341c1708..0622a05a655 100644
--- a/source3/libsmb/cli_smb2_fnum.c
+++ b/source3/libsmb/cli_smb2_fnum.c
@@ -1269,6 +1269,12 @@ static NTSTATUS parse_finfo_id_both_directory_info(uint8_t *dir_data,
/* Bad conversion. */
return NT_STATUS_INVALID_NETWORK_RESPONSE;
}
+
+ if (finfo->name == NULL) {
+ /* Bad conversion. */
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+
return NT_STATUS_OK;
}
diff --git a/source3/libsmb/clilist.c b/source3/libsmb/clilist.c
index f868e72a239..f9444bc401c 100644
--- a/source3/libsmb/clilist.c
+++ b/source3/libsmb/clilist.c
@@ -552,7 +552,10 @@ static NTSTATUS cli_list_old_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
TALLOC_FREE(finfo);
return NT_STATUS_NO_MEMORY;
}
-
+ if (finfo->name == NULL) {
+ TALLOC_FREE(finfo);
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
status = is_bad_finfo_name(state->cli, finfo);
if (!NT_STATUS_IS_OK(status)) {
smbXcli_conn_disconnect(state->cli->conn, status);
@@ -791,8 +794,9 @@ static void cli_list_trans_done(struct tevent_req *subreq)
if (finfo->name == NULL) {
DEBUG(1, ("cli_list: Error: unable to parse name from "
"info level %d\n", state->info_level));
- ff_eos = true;
- break;
+ tevent_req_nterror(req,
+ NT_STATUS_INVALID_NETWORK_RESPONSE);
+ return;
}
status = is_bad_finfo_name(state->cli, finfo);
diff --git a/source3/modules/vfs_aio_fork.c b/source3/modules/vfs_aio_fork.c
index a1fed5c0655..7c6f4b00fd0 100644
--- a/source3/modules/vfs_aio_fork.c
+++ b/source3/modules/vfs_aio_fork.c
@@ -342,7 +342,7 @@ static void aio_child_loop(int sockfd, struct mmap_area *map)
switch (cmd_struct.cmd) {
case READ_CMD:
- ret_struct.size = sys_pread(
+ ret_struct.size = sys_pread_full(
fd, discard_const(map->ptr), cmd_struct.n,
cmd_struct.offset);
#if 0
@@ -353,7 +353,7 @@ static void aio_child_loop(int sockfd, struct mmap_area *map)
#endif
break;
case WRITE_CMD:
- ret_struct.size = sys_pwrite(
+ ret_struct.size = sys_pwrite_full(
fd, discard_const(map->ptr), cmd_struct.n,
cmd_struct.offset);
break;
diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index c7f2020a9ea..386a34f81d1 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -734,7 +734,7 @@ static ssize_t vfswrap_pread(vfs_handle_struct *handle, files_struct *fsp, void
#if defined(HAVE_PREAD) || defined(HAVE_PREAD64)
START_PROFILE_BYTES(syscall_pread, n);
- result = sys_pread(fsp->fh->fd, data, n, offset);
+ result = sys_pread_full(fsp->fh->fd, data, n, offset);
END_PROFILE_BYTES(syscall_pread);
if (result == -1 && errno == ESPIPE) {
@@ -758,7 +758,7 @@ static ssize_t vfswrap_pwrite(vfs_handle_struct *handle, files_struct *fsp, cons
#if defined(HAVE_PWRITE) || defined(HAVE_PRWITE64)
START_PROFILE_BYTES(syscall_pwrite, n);
- result = sys_pwrite(fsp->fh->fd, data, n, offset);
+ result = sys_pwrite_full(fsp->fh->fd, data, n, offset);
END_PROFILE_BYTES(syscall_pwrite);
if (result == -1 && errno == ESPIPE) {
@@ -838,10 +838,10 @@ static void vfs_pread_do(void *private_data)
PROFILE_TIMESTAMP(&start_time);
- do {
- state->ret = pread(state->fd, state->buf, state->count,
- state->offset);
- } while ((state->ret == -1) && (errno == EINTR));
+ state->ret = sys_pread_full(state->fd,
+ state->buf,
+ state->count,
+ state->offset);
if (state->ret == -1) {
state->vfs_aio_state.error = errno;
@@ -966,10 +966,10 @@ static void vfs_pwrite_do(void *private_data)
PROFILE_TIMESTAMP(&start_time);
- do {
- state->ret = pwrite(state->fd, state->buf, state->count,
- state->offset);
- } while ((state->ret == -1) && (errno == EINTR));
+ state->ret = sys_pwrite_full(state->fd,
+ state->buf,
+ state->count,
+ state->offset);
if (state->ret == -1) {
state->vfs_aio_state.error = errno;
@@ -2579,6 +2579,13 @@ static int strict_allocate_ftruncate(vfs_handle_struct *handle, files_struct *fs
int ret;
NTSTATUS status;
SMB_STRUCT_STAT *pst;
+ bool ok;
+
+ ok = vfs_valid_pwrite_range(len, 0);
+ if (!ok) {
+ errno = EINVAL;
+ return -1;
+ }
status = vfs_stat_fsp(fsp);
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/modules/vfs_io_uring.c b/source3/modules/vfs_io_uring.c
index 378e48d112f..4625e16c37e 100644
--- a/source3/modules/vfs_io_uring.c
+++ b/source3/modules/vfs_io_uring.c
@@ -25,6 +25,8 @@
#include "smbd/smbd.h"
#include "smbd/globals.h"
#include "lib/util/tevent_unix.h"
+#include "lib/util/sys_rw.h"
+#include "lib/util/iov_buf.h"
#include "smbprofile.h"
#include <liburing.h>
@@ -33,6 +35,10 @@ struct vfs_io_uring_request;
struct vfs_io_uring_config {
struct io_uring uring;
struct tevent_fd *fde;
+ /* recursion guard. See comment above vfs_io_uring_queue_run() */
+ bool busy;
+ /* recursion guard. See comment above vfs_io_uring_queue_run() */
+ bool need_retry;
struct vfs_io_uring_request *queue;
struct vfs_io_uring_request *pending;
};
@@ -42,9 +48,10 @@ struct vfs_io_uring_request {
struct vfs_io_uring_request **list_head;
struct vfs_io_uring_config *config;
struct tevent_req *req;
- void *state;
struct io_uring_sqe sqe;
struct io_uring_cqe cqe;
+ void (*completion_fn)(struct vfs_io_uring_request *cur,
+ const char *location);
struct timespec start_time;
struct timespec end_time;
SMBPROFILE_BYTES_ASYNC_STATE(profile_bytes);
@@ -58,8 +65,9 @@ static void vfs_io_uring_finish_req(struct vfs_io_uring_request *cur,
struct tevent_req *req =
talloc_get_type_abort(cur->req,
struct tevent_req);
+ void *state = _tevent_req_data(req);
- talloc_set_destructor(cur->state, NULL);
+ talloc_set_destructor(state, NULL);
if (cur->list_head != NULL) {
DLIST_REMOVE((*cur->list_head), cur);
cur->list_head = NULL;
@@ -74,7 +82,7 @@ static void vfs_io_uring_finish_req(struct vfs_io_uring_request *cur,
* or tevent_req_defer_callback() being called
* already.
*/
- _tevent_req_done(req, location);
+ cur->completion_fn(cur, location);
}
static void vfs_io_uring_config_destroy(struct vfs_io_uring_config *config,
@@ -172,13 +180,13 @@ static int vfs_io_uring_connect(vfs_handle_struct *handle, const char *service,
}
num_entries = lp_parm_ulong(SNUM(handle->conn),
- "vfs_io_uring",
+ "io_uring",
"num_entries",
128);
num_entries = MAX(num_entries, 1);
sqpoll = lp_parm_bool(SNUM(handle->conn),
- "vfs_io_uring",
+ "io_uring",
"sqpoll",
false);
if (sqpoll) {
@@ -219,7 +227,7 @@ static int vfs_io_uring_connect(vfs_handle_struct *handle, const char *service,
return 0;
}
-static void vfs_io_uring_queue_run(struct vfs_io_uring_config *config)
+static void _vfs_io_uring_queue_run(struct vfs_io_uring_config *config)
{
struct vfs_io_uring_request *cur = NULL, *next = NULL;
struct io_uring_cqe *cqe = NULL;
@@ -238,6 +246,7 @@ static void vfs_io_uring_queue_run(struct vfs_io_uring_config *config)
for (cur = config->queue; cur != NULL; cur = next) {
struct io_uring_sqe *sqe = NULL;
+ void *state = _tevent_req_data(cur->req);
next = cur->next;
@@ -246,7 +255,7 @@ static void vfs_io_uring_queue_run(struct vfs_io_uring_config *config)
break;
}
- talloc_set_destructor(cur->state,
+ talloc_set_destructor(state,
vfs_io_uring_request_state_deny_destructor);
DLIST_REMOVE(config->queue, cur);
*sqe = cur->sqe;
@@ -276,6 +285,104 @@ static void vfs_io_uring_queue_run(struct vfs_io_uring_config *config)
io_uring_cq_advance(&config->uring, nr);
}
+/*
+ * Wrapper function to prevent recursion which could happen
+ * if we called _vfs_io_uring_queue_run() directly without
+ * recursion checks.
+ *
+ * Looking at the pread call, we can have:
+ *
+ * vfs_io_uring_pread_send()
+ * ->vfs_io_uring_pread_submit() <-----------------------------------
+ * ->vfs_io_uring_request_submit() |
+ * ->vfs_io_uring_queue_run() |
+ * ->_vfs_io_uring_queue_run() |
+ * |
+ * But inside _vfs_io_uring_queue_run() looks like: |
+ * |
+ * _vfs_io_uring_queue_run() { |
+ * if (THIS_IO_COMPLETED) { |
+ * ->vfs_io_uring_finish_req() |
+ * ->cur->completion_fn() |
+ * } |
+ * } |
+ * |
+ * cur->completion_fn() for pread is set to vfs_io_uring_pread_completion() |
+ * |
+ * vfs_io_uring_pread_completion() { |
+ * if (READ_TERMINATED) { |
+ * -> tevent_req_done() - We're done, go back up the stack. |
+ * return; |
+ * } |
+ * |
+ * We have a short read - adjust the io vectors |
+ * |
+ * ->vfs_io_uring_pread_submit() ---------------------------------------
+ * }
+ *
+ * So before calling _vfs_io_uring_queue_run() we backet it with setting
+ * a flag config->busy, and unset it once _vfs_io_uring_queue_run() finally
+ * exits the retry loop.
+ *
+ * If we end up back into vfs_io_uring_queue_run() we notice we've done so
+ * as config->busy is set and don't recurse into _vfs_io_uring_queue_run().
+ *
+ * We set the second flag config->need_retry that tells us to loop in the
+ * vfs_io_uring_queue_run() call above us in the stack and return.
+ *
+ * When the outer call to _vfs_io_uring_queue_run() returns we are in
+ * a loop checking if config->need_retry was set. That happens if
+ * the short read case occurs and _vfs_io_uring_queue_run() ended up
+ * recursing into vfs_io_uring_queue_run().
+ *
+ * Once vfs_io_uring_pread_completion() finishes without a short
+ * read (the READ_TERMINATED case, tevent_req_done() is called)
+ * then config->need_retry is left as false, we exit the loop,
+ * set config->busy to false so the next top level call into
+ * vfs_io_uring_queue_run() won't think it's a recursed call
+ * and return.
+ *
--
Samba Shared Repository
More information about the samba-cvs
mailing list