[SCM] Samba Shared Repository - branch v4-12-test updated
Karolin Seeger
kseeger at samba.org
Thu Nov 19 14:10:03 UTC 2020
The branch, v4-12-test has been updated
via b3665f70109 vfs_shadow_copy2: Preserve all open flags assuming ROFS
via 58eaf85bd92 s3: spoolss: Make parameters in call to user_ok_token() match all other uses.
via dcce5e5bf67 s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE().
via 4873f377e75 interface: fix if_index is not parsed correctly
via a6782e76046 s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function.
via 8136ade13f8 libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob.
from 9215dc9dc69 s3-vfs_glusterfs: always disable write-behind translator
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-12-test
- Log -----------------------------------------------------------------
commit b3665f70109b634564974de966d255807c0547f0
Author: Anoop C S <anoopcs at samba.org>
Date: Thu Nov 12 20:27:24 2020 +0530
vfs_shadow_copy2: Preserve all open flags assuming ROFS
Instead of replacing open flags with just O_RDONLY, filter out all those
flags unrelated to a Read Only File System
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14573
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Thu Nov 12 17:23:19 UTC 2020 on sn-devel-184
(cherry picked from commit e9e06a11daf036abf7a7022ebc8eaefde178aa52)
Autobuild-User(v4-12-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-12-test): Thu Nov 19 14:09:43 UTC 2020 on sn-devel-184
commit 58eaf85bd924f4f9264d677486c0122a5a2c9f9f
Author: Jeremy Allison <jra at samba.org>
Date: Thu Nov 5 15:48:08 2020 -0800
s3: spoolss: Make parameters in call to user_ok_token() match all other uses.
We already have p->session_info->unix_info->unix_name, we don't
need to go through a legacy call to uidtoname(p->session_info->unix_token->uid).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14568
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Nov 9 04:10:45 UTC 2020 on sn-devel-184
(cherry picked from commit e5e1759057a767f517bf480a2172a36623df2799)
commit dcce5e5bf679e8d9afeb9bb9455da2c98b3ae7b2
Author: Jeremy Allison <jra at samba.org>
Date: Sat Sep 26 22:14:33 2020 -0700
s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE().
They may have been carefully set by the aio_del_req_from_fsp()
destructor so we must not overwrite here.
Found via some *amazing* debugging work from Ashok Ramakrishnan <aramakrishnan at nasuni.com>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14515
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Sep 30 11:18:43 UTC 2020 on sn-devel-184
(cherry picked from commit fca8cb63762faff54cda243c1ed8217b36333131)
commit 4873f377e75d5104b4ca2afbc36783b850463eb0
Author: Jones Syue <jonessyue at qnap.com>
Date: Mon Sep 28 09:10:03 2020 +0800
interface: fix if_index is not parsed correctly
Replace probed_ifaces[i] with ifs.
In SDC 2020 SMB3 Virtual IO Lab,
run Windows Protocol Test Suite to test FileServer multichannel test cases.
Samba server has 2 virtual interfaces for VPN connection:
> name=tun2001, ip/mask=192.168.144.9/22
> name=tun2002, ip/mask=192.168.144.10/22
test suite client can ping these 2 ip addresses and browse shares.
Then client try to use IOCTL FSCTL_QUERY_NETWORK_INTERFACE_INFO to get the
virtual ip addresses of samba server, but samba server responded it
without the virtual ip addresses. My VPN setup is point-to-point and the
virtual interfaces 'tun2001' & 'tun2002' are without flag IFF_BROADCAST.
So edit smb.conf and add
"interfaces = ${virtual_ip}/${mask_length};if_index=${id}", like this:
> interfaces = eth4 eth8 eth11 eth10 qvs0 "192.168.144.9/22;if_index=50" "192.168.144.10/22;if_index=51"
then samba server IOCTL response could return the virtual ip addresses,
but found a issue:
the interface index of virtual ip addresses is always 4294967295
(0xFFFFFFFF, -1).
Quote Metze: https://gitlab.com/samba-team/devel/samba/-/commit/6cadb55d975a6348a417caed8b3258f5be2acba4#note_419181789
This looks good, I think that also explains
the possible memory corruption/crash I mentioned in the bug report.
As 'i' is most likely the same as 'total_probed' and
probed_ifaces[i] is not valid, so we overwrite unrelated memory.
Later I see 'realloc(): invalid pointer' and this backtrace:
BACKTRACE:
#0 log_stack_trace + 0x29 [ip=0x7f2f1b6fffa9] [sp=0x7ffcd0ab53e0]
#1 smb_panic + 0x11 [ip=0x7f2f1b700301] [sp=0x7ffcd0ab5d10]
#2 sig_fault + 0x54 [ip=0x7f2f1b7004f4] [sp=0x7ffcd0ab5e20]
#3 funlockfile + 0x50 [ip=0x7f2f17ce6dd0] [sp=0x7ffcd0ab5ec0]
#4 gsignal + 0x10f [ip=0x7f2f1794970f] [sp=0x7ffcd0ab6b90]
#5 abort + 0x127 [ip=0x7f2f17933b25] [sp=0x7ffcd0ab6cb0]
#6 __libc_message + 0x297 [ip=0x7f2f1798c897] [sp=0x7ffcd0ab6de0]
#7 malloc_printerr + 0x1c [ip=0x7f2f17992fdc] [sp=0x7ffcd0ab6ef0]
#8 realloc + 0x23a [ip=0x7f2f17997f6a] [sp=0x7ffcd0ab6f00]
#9 _talloc_realloc + 0xee [ip=0x7f2f1a365d2e] [sp=0x7ffcd0ab6f50]
#10 messaging_filtered_read_send + 0x18c [ip=0x7f2f1a10f54c] [sp=0x7ffcd0ab6fb0]
#11 messaging_read_send + 0x55 [ip=0x7f2f1a10f705] [sp=0x7ffcd0ab7000]
#12 smb2srv_session_table_init + 0x83 [ip=0x7f2f1b3a6cd3] [sp=0x7ffcd0ab7040]
#13 smbXsrv_connection_init_tables + 0x2d [ip=0x7f2f1b373f4d] [sp=0x7ffcd0ab7060]
#14 smbd_smb2_request_process_negprot + 0x827 [ip=0x7f2f1b38cb47] [sp=0x7ffcd0ab7080]
#15 smbd_smb2_request_dispatch + 0x19db [ip=0x7f2f1b38921b] [sp=0x7ffcd0ab71d0]
#16 smbd_smb2_process_negprot + 0x298 [ip=0x7f2f1b38bb38] [sp=0x7ffcd0ab7260]
#17 process_smb + 0x2ca [ip=0x7f2f1b37537a] [sp=0x7ffcd0ab72b0]
#18 smbd_server_connection_read_handler + 0xd0 [ip=0x7f2f1b376420] [sp=0x7ffcd0ab7350]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14514
Signed-off-by: Jones Syue <jonessyue at qnap.com>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit b78ff5717654064c8a4facc54a8e9833e5843c21)
commit a6782e760460d598709481b435fee209dae60de3
Author: Jeremy Allison <jra at samba.org>
Date: Tue Nov 10 10:18:18 2020 -0800
s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function.
file_lines_parse() plays horrible tricks with
the passed-in talloc pointers and the hierarcy
which makes freeing hard to get right.
As we know mem_ctx is freed by the caller, after
calling file_lines_parse don't free on exit and let the caller
handle it. This violates good Samba coding practice
but we know we're not leaking here.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14486
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Wed Nov 11 15:02:27 UTC 2020 on sn-devel-184
(cherry picked from commit 457b49c67803dd95abc8502c2a410fac273f6fba)
commit 8136ade13f8236ea10f5a2b59b5cb117f3298d76
Author: Jeremy Allison <jra at samba.org>
Date: Fri Nov 13 14:18:43 2020 -0800
libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob.
Blob could be NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14210
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Mon Nov 16 09:47:38 UTC 2020 on sn-devel-184
(cherry picked from commit 26ba04a4d1987a859152751e6083d9b9aef770ff)
-----------------------------------------------------------------------
Summary of changes:
libcli/smb/smb2_signing.c | 9 +++------
source3/lib/interface.c | 2 +-
source3/modules/vfs_glusterfs.c | 20 ++++++++++++--------
source3/modules/vfs_shadow_copy2.c | 4 ++--
source3/rpc_server/spoolss/srv_spoolss_nt.c | 3 ++-
source3/smbd/close.c | 14 +++++++++++++-
6 files changed, 33 insertions(+), 19 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c
index 623fc23fb18..cc03607d789 100644
--- a/libcli/smb/smb2_signing.c
+++ b/libcli/smb/smb2_signing.c
@@ -92,8 +92,7 @@ NTSTATUS smb2_signing_sign_pdu(struct smb2_signing_key *signing_key,
}
if (!smb2_signing_key_valid(signing_key)) {
- DBG_WARNING("Wrong session key length %zu for SMB2 signing\n",
- signing_key->blob.length);
+ DBG_WARNING("No signing key for SMB2 signing\n");
return NT_STATUS_ACCESS_DENIED;
}
@@ -416,8 +415,7 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key,
tf = (uint8_t *)vector[0].iov_base;
if (!smb2_signing_key_valid(encryption_key)) {
- DBG_WARNING("Wrong encryption key length %zu for SMB2 signing\n",
- encryption_key->blob.length);
+ DBG_WARNING("No encryption key for SMB2 signing\n");
return NT_STATUS_ACCESS_DENIED;
}
@@ -613,8 +611,7 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key,
tf = (uint8_t *)vector[0].iov_base;
if (!smb2_signing_key_valid(decryption_key)) {
- DBG_WARNING("Wrong decryption key length %zu for SMB2 signing\n",
- decryption_key->blob.length);
+ DBG_WARNING("No decryption key for SMB2 signing\n");
return NT_STATUS_ACCESS_DENIED;
}
diff --git a/source3/lib/interface.c b/source3/lib/interface.c
index af81695abab..cf711fb172f 100644
--- a/source3/lib/interface.c
+++ b/source3/lib/interface.c
@@ -602,7 +602,7 @@ static void interpret_interface(char *token)
ifs.netmask = ss_mask;
ifs.bcast = ss_bcast;
if (if_index_set) {
- probed_ifaces[i].if_index = if_index;
+ ifs.if_index = if_index;
}
if (speed_set) {
ifs.linkspeed = speed;
diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c
index 3f00e87c5e0..c338674ac3c 100644
--- a/source3/modules/vfs_glusterfs.c
+++ b/source3/modules/vfs_glusterfs.c
@@ -315,15 +315,25 @@ static int check_for_write_behind_translator(TALLOC_CTX *mem_ctx,
return -1;
}
+ /*
+ * file_lines_parse() plays horrible tricks with
+ * the passed-in talloc pointers and the hierarcy
+ * which makes freeing hard to get right.
+ *
+ * As we know mem_ctx is freed by the caller, after
+ * this point don't free on exit and let the caller
+ * handle it. This violates good Samba coding practice
+ * but we know we're not leaking here.
+ */
+
lines = file_lines_parse(buf,
newlen,
&numlines,
mem_ctx);
if (lines == NULL || numlines <= 0) {
- TALLOC_FREE(option);
- TALLOC_FREE(buf);
return -1;
}
+ /* On success, buf is now a talloc child of lines !! */
for (i=0; i < numlines; i++) {
if (strequal(lines[i], option)) {
@@ -338,15 +348,9 @@ static int check_for_write_behind_translator(TALLOC_CTX *mem_ctx,
"Please check the vfs_glusterfs(8) manpage for "
"further details.\n",
volume);
- TALLOC_FREE(lines);
- TALLOC_FREE(option);
- TALLOC_FREE(buf);
return -1;
}
- TALLOC_FREE(lines);
- TALLOC_FREE(option);
- TALLOC_FREE(buf);
return 0;
}
diff --git a/source3/modules/vfs_shadow_copy2.c b/source3/modules/vfs_shadow_copy2.c
index 1957015931b..dc4176e25df 100644
--- a/source3/modules/vfs_shadow_copy2.c
+++ b/source3/modules/vfs_shadow_copy2.c
@@ -1462,7 +1462,7 @@ static int shadow_copy2_open(vfs_handle_struct *handle,
* EINVAL which we carefully map to EROFS. In sum, this
* matches Windows behaviour.
*/
- flags = O_RDONLY;
+ flags &= ~(O_WRONLY | O_RDWR | O_CREAT);
}
return SMB_VFS_NEXT_OPEN(handle, smb_fname, fsp, flags, mode);
}
@@ -1483,7 +1483,7 @@ static int shadow_copy2_open(vfs_handle_struct *handle,
* pwrite() syscall with EINVAL which we carefully map to EROFS. In sum,
* this matches Windows behaviour.
*/
- flags = O_RDONLY;
+ flags &= ~(O_WRONLY | O_RDWR | O_CREAT);
ret = SMB_VFS_NEXT_OPEN(handle, smb_fname, fsp, flags, mode);
if (ret == -1) {
diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
index c80fc2aac2d..eb47cb20581 100644
--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
@@ -1871,7 +1871,8 @@ WERROR _spoolss_OpenPrinterEx(struct pipes_struct *p,
return WERR_ACCESS_DENIED;
}
- if (!user_ok_token(uidtoname(p->session_info->unix_token->uid), NULL,
+ if (!user_ok_token(p->session_info->unix_info->unix_name,
+ p->session_info->info->domain_name,
p->session_info->security_token, snum) ||
!W_ERROR_IS_OK(print_access_check(p->session_info,
p->msg_ctx,
diff --git a/source3/smbd/close.c b/source3/smbd/close.c
index 1a6e33b4403..42be29b03be 100644
--- a/source3/smbd/close.c
+++ b/source3/smbd/close.c
@@ -666,7 +666,19 @@ static void assert_no_pending_aio(struct files_struct *fsp,
* fsp->aio_requests[x], causing a crash.
*/
while (fsp->num_aio_requests != 0) {
- TALLOC_FREE(fsp->aio_requests[0]);
+ /*
+ * NB. We *MUST* use
+ * talloc_free(fsp->aio_requests[0]),
+ * and *NOT* TALLOC_FREE() here, as
+ * TALLOC_FREE(fsp->aio_requests[0])
+ * will overwrite any new contents of
+ * fsp->aio_requests[0] that were
+ * copied into it via the destructor
+ * aio_del_req_from_fsp().
+ *
+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=14515
+ */
+ talloc_free(fsp->aio_requests[0]);
}
return;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list