Leak of file descriptor in samba 4.5.11

Kumar, Arjit (SSTO) arjit.kumar at hpe.com
Wed Feb 14 17:07:55 UTC 2018

Hi Team,

There seems to be FD leak happening for Samba share, due to which accessing file fails with below error, after accessing certain no of files.

  smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_TOO_MANY_OPENED_FILES] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:3145

This occurs even if we increase smbd's max open files to 65536.

This issue is not seen in samba 4.5.3, but seen with 4.5.11 and 4.5.15

This issue seems to be caused by fix for CVE-2017-2619.

On investigating further below modification in source3/smbd/smb2_query_directory.c for fixing above CVE  may be causing FD leak.


Line 328: dptr_CloseDir(fsp);
Do we need to close FD using fd_close() instead of dptr_CloseDir()

I also have opened a bug<https://bugzilla.samba.org/show_bug.cgi?id=13270> for the same on bugzilla.

Simple steps to re  produce it are as below:-

*         Map a samba share on windows machine.
Suppose share is mapped on Z drive.

*         Create a small batch file as below.

dir z:

goto loop

*         Analysis it with any crash dump utility depending on platform or wait until smbd hits  NT_STATUS_TOO_MANY_OPENED_FILES error

More information about the samba-technical mailing list