[PATCH 1/2] Fix bug #9329 - Directory listing with SeBackup can crash smbd.
Andrew Bartlett
abartlet at samba.org
Mon Oct 29 15:32:29 MDT 2012
On Mon, 2012-10-29 at 14:22 -0700, Jeremy Allison wrote:
> On Tue, Oct 30, 2012 at 08:17:09AM +1100, Andrew Bartlett wrote:
> > On Mon, 2012-10-29 at 14:09 -0700, Jeremy Allison wrote:
> > > On Tue, Oct 30, 2012 at 07:51:36AM +1100, Andrew Bartlett wrote:
> > > >
> > > > I'm sorry, I should have made it clearer, I was still hoping to improve
> > > > the patch with Jeremy. I don't like walking back up the security stack
> > > > like that, for something that it seems we can find out via a pointer
> > > > de-reference.
> > >
> > > No, we can't. Under the delete on close semantics the only
> > > place this can be found is on the security stack.
> >
> > Where in the delete on close path does it call get_current_nttok()?
>
> It doesn't right now, but not doing it this way is leaving a
> bear-trap for the unwary.
>
> Imagine someone needs to override UNIX perms underneath this
> codepath - we don't do this right now but I can't guarentee we
> won't need to do this at some point - then we will have
> get_current_nttok() back returning a NULL pointer, and
> we'll crash again.
I was more meaning going back to your original patch, which then used
conn. I guess your point is that while it is always valid, it may not
be always correct, if for the delete on close case, we don't happen to
pass down the nttoken that needs to be used.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list