Client stuck in an "infinite" loop due to illegal character in
name
Jeremy Allison
jra at samba.org
Wed Jul 18 01:13:25 GMT 2007
On Mon, Jul 16, 2007 at 10:33:25AM +0300, Shlomi Yaakobovich wrote:
> Hi,
>
> We're running samba 3.0.20, and we've seen some strange behavior. In our
> configuration, mangling is disabled. The client is in the process of
> reading a directory (i.e. opening an explorer window). If the last file
> returned to the client contains an illegal character (and not just a
> plain illegal, it is below 31 ASCII value), then the resume_name is
> transformed into the "." name, and rewinddir is called. This causes the
> file names from the beginning of the directory to be sent over and over
> again to the client, in what seems like an infinite loop. The client (I
> used Windows XP) does not seem to recover from this or fail, it is just
> showing an empty window with the flashlight sign (browsing...)
>
> The relevant code of samba that does this is at reply.c - and from the
> latest samba code it seems the check_path_syntax_internal function also
> contains the same issue:
>
> if (!(*s & 0x80)) {
> if (!posix_path) {
> if (*s <= 0x1f) {
> return
> NT_STATUS_OBJECT_NAME_INVALID;
> }
>
> This seems like too trivial to be overlooked. Could it be that we've
> done something wrong ? If not, what would be the correct solution for
> this ?
Try this patch against 3.0.25b.
Thanks,
Jeremy.
-------------- next part --------------
Index: smbd/trans2.c
===================================================================
--- smbd/trans2.c (revision 23936)
+++ smbd/trans2.c (working copy)
@@ -1999,10 +1999,14 @@
complain (it thinks we're asking for the directory above the shared
path or an invalid name). Catch this as the resume name is only compared, never used in
a file access. JRA. */
- if (NT_STATUS_EQUAL(ntstatus,NT_STATUS_OBJECT_PATH_SYNTAX_BAD)) {
+ size_t ret = srvstr_pull(inbuf, resume_name, params+12,
+ sizeof(resume_name), total_params - 12,
+ STR_TERMINATE);
+
+ if (ret == 2 && ISDOT(resume_name)) {
+ pstrcpy(resume_name, ".");
+ } else if (ret == 3 && ISDOTDOT(resume_name)) {
pstrcpy(resume_name, "..");
- } else if (NT_STATUS_EQUAL(ntstatus,NT_STATUS_OBJECT_NAME_INVALID)) {
- pstrcpy(resume_name, ".");
} else {
return ERROR_NT(ntstatus);
}
More information about the samba-technical
mailing list