[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Tue Mar 1 21:00:02 UTC 2022


The branch, master has been updated
       via  8c97743511e smbd: Fix a use-after-free
       via  579c475fa62 smbd: Fix a typo
       via  40b7c862b47 vfs: Set errno in an error return
       via  2b6e557ec46 vfs: Fix a typo
       via  bdf68d64300 vfs: Fix a typo
       via  cb0201973c5 lib: Simplify parent_dirname() by using talloc_strndup()
       via  d255044e2ab lib: Use cp_smb_filename_nostream() in adouble_path()
      from  9eb27f296ae third_party/heimdal_build: Determine whether time_t is signed

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 8c97743511e4d53f795f2469a28aabfb96da0dfa
Author: Volker Lendecke <vl at samba.org>
Date:   Wed Feb 23 15:56:41 2022 +0100

    smbd: Fix a use-after-free
    
    stat_cache_lookup() allocates its result on top of talloc_tos().
    filename_convert_smb1_search_path() creates a talloc_stackframe(),
    which makes the names which were supposed to be allocated on the "ctx"
    parameter of filename_convert_smb1_search_path() go away too
    early. Reparent the results from stat_cache_lookup() properly.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=14989
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Tue Mar  1 20:59:55 UTC 2022 on sn-devel-184

commit 579c475fa6293017fd4137fa99a0ae091dfdfcad
Author: Volker Lendecke <vl at samba.org>
Date:   Wed Feb 23 15:47:45 2022 +0100

    smbd: Fix a typo
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit 40b7c862b47b87e5d3fc36212e2658382bdae02b
Author: Volker Lendecke <vl at samba.org>
Date:   Tue Feb 22 17:12:44 2022 +0100

    vfs: Set errno in an error return
    
    Don't leak an unrelated errno
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit 2b6e557ec46164e5bd7003199eef0193c66cf4a9
Author: Volker Lendecke <vl at samba.org>
Date:   Tue Feb 22 17:12:34 2022 +0100

    vfs: Fix a typo
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit bdf68d64300a63450fb0873f7885221c748b7cbb
Author: Volker Lendecke <vl at samba.org>
Date:   Tue Feb 22 15:49:37 2022 +0100

    vfs: Fix a typo
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit cb0201973c54cee2988331572f0f111e6d458ad4
Author: Volker Lendecke <vl at samba.org>
Date:   Tue Feb 22 15:46:14 2022 +0100

    lib: Simplify parent_dirname() by using talloc_strndup()
    
    Don't duplicate the talloc_strndup() functionality.
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit d255044e2ab971ea39f0eed25e5c53a0c56d3a3a
Author: Volker Lendecke <vl at samba.org>
Date:   Tue Feb 22 15:42:41 2022 +0100

    lib: Use cp_smb_filename_nostream() in adouble_path()
    
    No need to TALLOC_FREE(smb_fname->stream_name) later
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source3/lib/adouble.c               | 9 +++------
 source3/lib/util.c                  | 4 ++--
 source3/modules/nfs4acl_xattr_nfs.c | 2 +-
 source3/modules/vfs_fruit.c         | 3 ++-
 source3/smbd/filename.c             | 7 +++++++
 source3/smbd/statcache.c            | 2 +-
 6 files changed, 16 insertions(+), 11 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/lib/adouble.c b/source3/lib/adouble.c
index dda7a5ec05f..ef48d1aa73a 100644
--- a/source3/lib/adouble.c
+++ b/source3/lib/adouble.c
@@ -2757,17 +2757,14 @@ int adouble_path(TALLOC_CTX *ctx,
 {
 	char *parent;
 	const char *base;
-	struct smb_filename *smb_fname = cp_smb_filename(ctx,
-						smb_fname_in);
+	struct smb_filename *smb_fname = NULL;
 
+	smb_fname = cp_smb_filename_nostream(ctx, smb_fname_in);
 	if (smb_fname == NULL) {
 		return -1;
 	}
 
-	/* We need streamname to be NULL */
-	TALLOC_FREE(smb_fname->stream_name);
-
-	/* And we're replacing base_name. */
+	/* We're replacing base_name. */
 	TALLOC_FREE(smb_fname->base_name);
 
 	SET_STAT_INVALID(smb_fname->st);
diff --git a/source3/lib/util.c b/source3/lib/util.c
index 58a42ef2f53..d39ad61db20 100644
--- a/source3/lib/util.c
+++ b/source3/lib/util.c
@@ -1429,10 +1429,10 @@ bool parent_dirname(TALLOC_CTX *mem_ctx, const char *dir, char **parent,
 
 	len = p-dir;
 
-	if (!(*parent = (char *)talloc_memdup(mem_ctx, dir, len+1))) {
+	*parent = talloc_strndup(mem_ctx, dir, len);
+	if (*parent == NULL) {
 		return False;
 	}
-	(*parent)[len] = '\0';
 
 	if (name) {
 		*name = p+1;
diff --git a/source3/modules/nfs4acl_xattr_nfs.c b/source3/modules/nfs4acl_xattr_nfs.c
index 63726c3b29d..59e02bf1577 100644
--- a/source3/modules/nfs4acl_xattr_nfs.c
+++ b/source3/modules/nfs4acl_xattr_nfs.c
@@ -351,7 +351,7 @@ static bool create_special_id(TALLOC_CTX *mem_ctx,
 	char *s = talloc_strdup(mem_ctx, id);
 
 	if (s == NULL) {
-		DBG_ERR("talloc_memdup failed\n");
+		DBG_ERR("talloc_strdup failed\n");
 		return false;
 	}
 	nace->who.utf8string_val = s;
diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
index e84c4c98d37..e54e0903c40 100644
--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
@@ -1563,7 +1563,7 @@ static int fruit_open_rsrc_adouble(vfs_handle_struct *handle,
 	if ((!(flags & O_CREAT)) &&
 	    S_ISDIR(fsp->base_fsp->fsp_name->st.st_ex_mode))
 	{
-		/* sorry, but directories don't habe a resource fork */
+		/* sorry, but directories don't have a resource fork */
 		errno = EISDIR;
 		rc = -1;
 		goto exit;
@@ -1721,6 +1721,7 @@ static int fruit_open_rsrc(vfs_handle_struct *handle,
 
 	default:
 		DBG_ERR("Unexpected rsrc config [%d]\n", config->rsrc);
+		errno = EINVAL;
 		return -1;
 	}
 
diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
index 33aed86718f..123fe951639 100644
--- a/source3/smbd/filename.c
+++ b/source3/smbd/filename.c
@@ -1141,6 +1141,13 @@ NTSTATUS unix_convert(TALLOC_CTX *mem_ctx,
 					  &state->name,
 					  state->smb_fname->twrp,
 					  &state->smb_fname->st);
+		/*
+		 * stat_cache_lookup() allocates on talloc_tos() even
+		 * when !found, reparent correctly
+		 */
+		talloc_steal(state->smb_fname, state->smb_fname->base_name);
+		talloc_steal(state->mem_ctx, state->dirpath);
+
 		if (found) {
 			goto done;
 		}
diff --git a/source3/smbd/statcache.c b/source3/smbd/statcache.c
index f8d58214c45..4138a9287ad 100644
--- a/source3/smbd/statcache.c
+++ b/source3/smbd/statcache.c
@@ -190,7 +190,7 @@ void stat_cache_add( const char *full_orig_name,
  * 		  of the name up.
  * @param psd     A stat buffer, NOT from the cache, but just a side-effect.
  *
- * @return True if we translated (and did a scuccessful stat on) the entire
+ * @return True if we translated (and did a successful stat on) the entire
  * 		  name.
  *
  */


-- 
Samba Shared Repository



More information about the samba-cvs mailing list