[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Wed Jul 27 17:50:01 UTC 2022


The branch, master has been updated
       via  4286e359b35 s3: smbd: Convert call_nt_transact_create() to use filename_convert_dirfsp().
       via  22fae651656 s3: smbd: Inside filename_convert_dirfsp_nosymlink() ensure the returned smb_fname is always allocated off mem_ctx.
       via  31479d7781d s3: smbd: In openat_pathref_dirfsp_nosymlink() ensure we call fsp_smb_fname_link() to set smb_fname->fsp in the returned smb_fname.
      from  3ddc9344c2f CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 4286e359b359b9ce07fb3a1c377b1803885c37b6
Author: Jeremy Allison <jra at samba.org>
Date:   Mon Jul 25 16:30:06 2022 -0700

    s3: smbd: Convert call_nt_transact_create() to use filename_convert_dirfsp().
    
    One less use of filename_convert().
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Wed Jul 27 17:49:51 UTC 2022 on sn-devel-184

commit 22fae651656eb4e151d75b0464ef549e4af235f7
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jul 26 14:34:27 2022 -0700

    s3: smbd: Inside filename_convert_dirfsp_nosymlink() ensure the returned smb_fname is always allocated off mem_ctx.
    
    Without this, if we just return smb_fname_rel->fsp->fsp_name as the smb_fname
    then we return something allocated off fsp (which itself is allocated off
    the conn struct), not the passed in talloc_ctx.
    
    Do this for both non-stream and stream returns.
    
    This matters for two reasons.
    
    1). If we error out after calling filename_convert_dirfsp()
    but before getting to the code inside create_file_unixpath()
    that takes ownership of the passed in smb_fname->fsp we will
    leak the fsp as the destructor for smb_fname that closes the
    fsp will never fire on return to the client, as smb_fname is
    owned by smb_fname->fsp, not the talloc_tos() context.
    
    2). Some uses of filename_convert() expect to be able
    to TALLOC_FREE the returned smb_fname once they've successfully
    called SMB_VFS_CREATE_FILE() as they consider the passed in smb_fname
    no longer used. It would be nice to be able to just change
    filename_convert() -> filename_convert_dirfsp() without
    having to change the lifetime handling of smb_fname.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>

commit 31479d7781d3e566d9f6258016a13f349fe05389
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jul 26 14:29:21 2022 -0700

    s3: smbd: In openat_pathref_dirfsp_nosymlink() ensure we call fsp_smb_fname_link() to set smb_fname->fsp in the returned smb_fname.
    
    Instead of just assigning smb_fname->fsp = fsp.
    
    This makes the logic match that of openat_pathref_fullname() and parent_pathref()
    when returning smb_fnames with associated pathref fsp's.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/filename.c     | 22 ++++++++++++++++++++--
 source3/smbd/files.c        |  7 ++++++-
 source3/smbd/smb1_nttrans.c | 20 +++++++++++++-------
 3 files changed, 39 insertions(+), 10 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
index 7600fc2c25d..0f9921b62fa 100644
--- a/source3/smbd/filename.c
+++ b/source3/smbd/filename.c
@@ -2916,7 +2916,16 @@ static NTSTATUS filename_convert_dirfsp_nosymlink(
 	}
 
 	if (saved_streamname == NULL) {
-		smb_fname = smb_fname_rel->fsp->fsp_name;
+		/* smb_fname must be allocated off mem_ctx. */
+		smb_fname = cp_smb_filename(mem_ctx,
+					    smb_fname_rel->fsp->fsp_name);
+		if (smb_fname == NULL) {
+			goto fail;
+		}
+		status = move_smb_fname_fsp_link(smb_fname, smb_fname_rel);
+		if (!NT_STATUS_IS_OK(status)) {
+			goto fail;
+		}
 		goto done;
 	}
 
@@ -2947,7 +2956,16 @@ static NTSTATUS filename_convert_dirfsp_nosymlink(
 	}
 
 	if (NT_STATUS_IS_OK(status)) {
-		smb_fname = smb_fname_rel->fsp->fsp_name;
+		/* smb_fname must be allocated off mem_ctx. */
+		smb_fname = cp_smb_filename(mem_ctx,
+					    smb_fname_rel->fsp->fsp_name);
+		if (smb_fname == NULL) {
+			goto fail;
+		}
+		status = move_smb_fname_fsp_link(smb_fname, smb_fname_rel);
+		if (!NT_STATUS_IS_OK(status)) {
+			goto fail;
+		}
 		goto done;
 	}
 
diff --git a/source3/smbd/files.c b/source3/smbd/files.c
index 5d8e292714f..9a81a16b3ec 100644
--- a/source3/smbd/files.c
+++ b/source3/smbd/files.c
@@ -944,7 +944,12 @@ next:
 		goto nomem;
 	}
 
-	result->fsp = fsp;
+	status = fsp_smb_fname_link(fsp,
+					&result->fsp_link,
+					&result->fsp);
+	if (!NT_STATUS_IS_OK(status)) {
+		goto fail;
+	}
 	talloc_set_destructor(result, smb_fname_fsp_destructor);
 
 	*_smb_fname = result;
diff --git a/source3/smbd/smb1_nttrans.c b/source3/smbd/smb1_nttrans.c
index 2ada93bbfa2..acb09fb7650 100644
--- a/source3/smbd/smb1_nttrans.c
+++ b/source3/smbd/smb1_nttrans.c
@@ -958,6 +958,7 @@ static void call_nt_transact_create(connection_struct *conn,
 	uint32_t fattr=0;
 	off_t file_len = 0;
 	int info = 0;
+	struct files_struct *dirfsp = NULL;
 	files_struct *fsp = NULL;
 	char *p = NULL;
 	uint32_t flags;
@@ -982,6 +983,7 @@ static void call_nt_transact_create(connection_struct *conn,
 	uint8_t oplock_granted;
 	struct case_semantics_state *case_state = NULL;
 	uint32_t ucf_flags;
+	NTTIME twrp = 0;
 	TALLOC_CTX *ctx = talloc_tos();
 
 	DEBUG(5,("call_nt_transact_create\n"));
@@ -1078,12 +1080,16 @@ static void call_nt_transact_create(connection_struct *conn,
 	}
 
 	ucf_flags = filename_create_ucf_flags(req, create_disposition);
-	status = filename_convert(ctx,
-				conn,
-				fname,
-				ucf_flags,
-				0,
-				&smb_fname);
+	if (ucf_flags & UCF_GMT_PATHNAME) {
+		extract_snapshot_token(fname, &twrp);
+	}
+	status = filename_convert_dirfsp(ctx,
+					 conn,
+					 fname,
+					 ucf_flags,
+					 twrp,
+					 &dirfsp,
+					 &smb_fname);
 
 	TALLOC_FREE(case_state);
 
@@ -1187,7 +1193,7 @@ static void call_nt_transact_create(connection_struct *conn,
 	status = SMB_VFS_CREATE_FILE(
 		conn,					/* conn */
 		req,					/* req */
-		NULL,					/* dirfsp */
+		dirfsp,					/* dirfsp */
 		smb_fname,				/* fname */
 		access_mask,				/* access_mask */
 		share_access,				/* share_access */


-- 
Samba Shared Repository



More information about the samba-cvs mailing list