Leak of file descriptor in samba 4.5.11
Kumar, Arjit (SSTO)
arjit.kumar at hpe.com
Wed Feb 14 17:07:55 UTC 2018
There seems to be FD leak happening for Samba share, due to which accessing file fails with below error, after accessing certain no of files.
smbd_smb2_request_done_ex: idx status[NT_STATUS_TOO_MANY_OPENED_FILES] body dyn[yes:1] at ../source3/smbd/smb2_server.c:3145
This occurs even if we increase smbd's max open files to 65536.
This issue is not seen in samba 4.5.3, but seen with 4.5.11 and 4.5.15
This issue seems to be caused by fix for CVE-2017-2619.
On investigating further below modification in source3/smbd/smb2_query_directory.c for fixing above CVE may be causing FD leak.
Line 328: dptr_CloseDir(fsp);
Do we need to close FD using fd_close() instead of dptr_CloseDir()
I also have opened a bug<https://bugzilla.samba.org/show_bug.cgi?id=13270> for the same on bugzilla.
Simple steps to re produce it are as below:-
* Map a samba share on windows machine.
Suppose share is mapped on Z drive.
* Create a small batch file as below.
* Analysis it with any crash dump utility depending on platform or wait until smbd hits NT_STATUS_TOO_MANY_OPENED_FILES error
More information about the samba-technical