[SCM] Samba Shared Repository - branch master updated

Ralph Böhme slow at samba.org
Thu Jul 27 10:53:01 UTC 2023 

The branch, master has been updated
       via  20df26b9081 s3: smbd: Sanitize any "server" and "share" components of SMB1 DFS paths to remove UNIX separators.
       via  2aa9ffa2f0f s3: torture: Add test to show an SMB1 DFS path of "\x//\/" crashes smbd.
      from  c2e83ebe726 mdssvc: fix returning file modification date for older Mac releases

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 20df26b908182f0455f301a51aeb54b6044af580
Author: Jeremy Allison <jra at samba.org>
Date:   Wed Jul 26 16:39:51 2023 -0700

    s3: smbd: Sanitize any "server" and "share" components of SMB1 DFS paths to remove UNIX separators.
    
    Remove knownfail.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15419
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    
    Autobuild-User(master): Ralph Böhme <slow at samba.org>
    Autobuild-Date(master): Thu Jul 27 10:52:50 UTC 2023 on atb-devel-224

commit 2aa9ffa2f0fc79599efbfe0c37aac4ef5160f712
Author: Jeremy Allison <jra at samba.org>
Date:   Wed Jul 26 16:37:11 2023 -0700

    s3: torture: Add test to show an SMB1 DFS path of "\\x//\\/" crashes smbd.
    
    Adds knownfail.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15419
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source3/selftest/tests.py       | 14 +++++++++++
 source3/smbd/smb2_reply.c       | 31 +++++++++++++++++++++++
 source3/torture/proto.h         |  1 +
 source3/torture/test_smb1_dfs.c | 56 +++++++++++++++++++++++++++++++++++++++++
 source3/torture/torture.c       |  4 +++
 5 files changed, 106 insertions(+)


Changeset truncated at 500 lines:

diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index d2b5409d0a9..a10969adbb4 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -357,6 +357,20 @@ plantestsuite("samba3.smbtorture_s3.smb1.SMB1-DFS-OPERATIONS",
                 '$PASSWORD',
                 smbtorture3,
                 "-mNT1"])
+#
+# SMB1-DFS-BADPATH needs to run against a special share msdfs-pathname-share
+# BUG: https://bugzilla.samba.org/show_bug.cgi?id=15419
+#
+plantestsuite("samba3.smbtorture_s3.smb1.SMB1-DFS-BADPATH",
+                "fileserver_smb1",
+                [os.path.join(samba3srcdir,
+                              "script/tests/test_smbtorture_s3.sh"),
+                'SMB1-DFS-BADPATH',
+                '//$SERVER_IP/msdfs-pathname-share',
+                '$USERNAME',
+                '$PASSWORD',
+                smbtorture3,
+                "-mNT1"])
 
 #
 # SMB2-STREAM-ACL needs to run against a special share - vfs_wo_fruit
diff --git a/source3/smbd/smb2_reply.c b/source3/smbd/smb2_reply.c
index 9113878fa8c..66b735e0b75 100644
--- a/source3/smbd/smb2_reply.c
+++ b/source3/smbd/smb2_reply.c
@@ -324,6 +324,7 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
 		char *share = NULL;
 		char *remaining_path = NULL;
 		char path_sep = 0;
+		char *p = NULL;
 
 		if (posix_pathnames && (dst[0] == '/')) {
 			path_sep = dst[0];
@@ -374,6 +375,16 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
 		if (share == NULL) {
 			goto local_path;
 		}
+		/*
+		 * Ensure the server name does not contain
+		 * any possible path components by converting
+		 * them to _'s.
+		 */
+		for (p = server + 1; p < share; p++) {
+			if (*p == '/' || *p == '\\') {
+				*p = '_';
+			}
+		}
 		/*
 		 * It's a well formed DFS path with
 		 * at least server and share components.
@@ -388,6 +399,16 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
 		 */
 		remaining_path = strchr(share+1, path_sep);
 		if (remaining_path == NULL) {
+			/*
+			 * Ensure the share name does not contain
+			 * any possible path components by converting
+			 * them to _'s.
+			 */
+			for (p = share + 1; *p; p++) {
+				if (*p == '/' || *p == '\\') {
+					*p = '_';
+				}
+			}
 			/*
 			 * If no remaining path this was
 			 * a bare /server/share path. Just return.
@@ -395,6 +416,16 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
 			*err = NT_STATUS_OK;
 			return ret;
 		}
+		/*
+		 * Ensure the share name does not contain
+		 * any possible path components by converting
+		 * them to _'s.
+		 */
+		for (p = share + 1; p < remaining_path; p++) {
+			if (*p == '/' || *p == '\\') {
+				*p = '_';
+			}
+		}
 		*remaining_path = '/';
 		dst = remaining_path + 1;
 		/* dst now points at any following components. */
diff --git a/source3/torture/proto.h b/source3/torture/proto.h
index a67a771ef45..93d0727e936 100644
--- a/source3/torture/proto.h
+++ b/source3/torture/proto.h
@@ -127,6 +127,7 @@ bool run_smb2_dfs_filename_leading_backslash(int dummy);
 bool run_smb1_dfs_paths(int dummy);
 bool run_smb1_dfs_search_paths(int dummy);
 bool run_smb1_dfs_operations(int dummy);
+bool run_smb1_dfs_check_badpath(int dummy);
 bool run_list_dir_async_test(int dummy);
 bool run_delete_on_close_non_empty(int dummy);
 bool run_delete_on_close_nonwrite_delete_yes_test(int dummy);
diff --git a/source3/torture/test_smb1_dfs.c b/source3/torture/test_smb1_dfs.c
index c14d207c82a..6d55de9912f 100644
--- a/source3/torture/test_smb1_dfs.c
+++ b/source3/torture/test_smb1_dfs.c
@@ -3810,6 +3810,26 @@ static bool test_smb1_chkpath(struct cli_state *cli)
 	return retval;
 }
 
+/*
+ * Test BUG: https://bugzilla.samba.org/show_bug.cgi?id=15419
+ */
+
+static bool test_smb1_chkpath_bad(struct cli_state *cli)
+{
+	NTSTATUS status;
+
+	status = smb1_chkpath(cli, "\\x//\\/");
+	if (!NT_STATUS_IS_OK(status)) {
+		printf("%s:%d SMB1chkpath of %s failed (%s)\n",
+			__FILE__,
+			__LINE__,
+			"\\x//\\/",
+			nt_errstr(status));
+		return false;
+	}
+	return true;
+}
+
 static NTSTATUS smb1_ctemp(struct cli_state *cli,
 			   const char *path,
 			   char **tmp_path)
@@ -4226,3 +4246,39 @@ bool run_smb1_dfs_operations(int dummy)
 	(void)smb1_dfs_delete(cli, "\\BAD\\BAD\\file");
 	return retval;
 }
+
+/*
+ * Test BUG: https://bugzilla.samba.org/show_bug.cgi?id=15419
+ */
+
+bool run_smb1_dfs_check_badpath(int dummy)
+{
+	struct cli_state *cli = NULL;
+	bool dfs_supported = false;
+
+	printf("Starting SMB1-DFS-CHECK-BADPATH\n");
+
+	if (!torture_init_connection(&cli)) {
+		return false;
+	}
+
+	if (!torture_open_connection(&cli, 0)) {
+		return false;
+	}
+
+	/* Ensure this is a DFS share. */
+	dfs_supported = smbXcli_conn_dfs_supported(cli->conn);
+	if (!dfs_supported) {
+		printf("Server %s does not support DFS\n",
+			smbXcli_conn_remote_name(cli->conn));
+		return false;
+	}
+	dfs_supported = smbXcli_tcon_is_dfs_share(cli->smb1.tcon);
+	if (!dfs_supported) {
+		printf("Share %s does not support DFS\n",
+			cli->share);
+		return false;
+	}
+
+	return test_smb1_chkpath_bad(cli);
+}
diff --git a/source3/torture/torture.c b/source3/torture/torture.c
index 013879eefeb..ab992665323 100644
--- a/source3/torture/torture.c
+++ b/source3/torture/torture.c
@@ -15385,6 +15385,10 @@ static struct {
 		.name  = "SMB1-DFS-OPERATIONS",
 		.fn    = run_smb1_dfs_operations,
 	},
+	{
+		.name  = "SMB1-DFS-BADPATH",
+		.fn    = run_smb1_dfs_check_badpath,
+	},
 	{
 		.name  = "CLEANUP1",
 		.fn    = run_cleanup1,


-- 
Samba Shared Repository

More information about the samba-cvs mailing list