Client stuck in an "infinite" loop due to illegal character in name

Shlomi Yaakobovich Shlomi at
Mon Jul 16 07:33:25 GMT 2007


We're running samba 3.0.20, and we've seen some strange behavior. In our
configuration, mangling is disabled. The client is in the process of
reading a directory (i.e. opening an explorer window). If the last file
returned to the client contains an illegal character (and not just a
plain illegal, it is below 31 ASCII value), then the resume_name is
transformed into the "." name, and rewinddir is called. This causes the
file names from the beginning of the directory to be sent over and over
again to the client, in what seems like an infinite loop. The client (I
used Windows XP) does not seem to recover from this or fail, it is just
showing an empty window with the flashlight sign (browsing...)

The relevant code of samba that does this is at reply.c - and from the
latest samba code it seems the check_path_syntax_internal function also
contains the same issue:
		if (!(*s & 0x80)) {
			if (!posix_path) {
				if (*s <= 0x1f) {

This seems like too trivial to be overlooked. Could it be that we've
done something wrong ?  If not, what would be the correct solution for
this ?

Below is a sample program that creates a dataset that triggers this bug.


#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>

int main(int argc, char* argv[])
        char* name = "Shlomi_file";

        int i = 0;
        int fd = -1;
        for (i=0; i<1000; i++) {
                char tmp[100] = {0};
                snprintf (tmp, 50,
"test_file_%d_____________________________", i);
                fd = open (tmp, O_WRONLY|O_APPEND|O_CREAT, 0644);
                if (fd != -1)
                        close (fd);
        return 0;


More information about the samba-technical mailing list