Leak of file descriptor in samba 4.5.11
Jeremy Allison
jra at samba.org
Wed Feb 14 18:15:44 UTC 2018
On Wed, Feb 14, 2018 at 05:07:55PM +0000, Kumar, Arjit (SSTO) via samba-technical wrote:
> Hi Team,
>
> There seems to be FD leak happening for Samba share, due to which accessing file fails with below error, after accessing certain no of files.
>
> ../source3/smbd/smb2_server.c:2988(smbd_smb2_request_done_ex)
> smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_TOO_MANY_OPENED_FILES] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:3145
>
> This occurs even if we increase smbd's max open files to 65536.
>
> This issue is not seen in samba 4.5.3, but seen with 4.5.11 and 4.5.15
>
> This issue seems to be caused by fix for CVE-2017-2619.
>
> On investigating further below modification in source3/smbd/smb2_query_directory.c for fixing above CVE may be causing FD leak.
>
> https://github.com/samba-team/samba/commit/47b6b6f8f58efbabd7e4610f51db61dca2bc157c#diff-30edf5566a0d9e2abf214c7f778830df
>
> Line 328: dptr_CloseDir(fsp);
> Do we need to close FD using fd_close() instead of dptr_CloseDir()
>
> I also have opened a bug<https://bugzilla.samba.org/show_bug.cgi?id=13270> for the same on bugzilla.
>
> Simple steps to re produce it are as below:-
>
>
> * Map a samba share on windows machine.
> Suppose share is mapped on Z drive.
>
> * Create a small batch file as below.
> :loop
>
> dir z:
>
> goto loop
>
> * Analysis it with any crash dump utility depending on platform or wait until smbd hits NT_STATUS_TOO_MANY_OPENED_FILES error
Is this reproducible on any later release than
4.5.x ?
Knowing that will really help determine if this
is a bug that needs addressing just in 4.5.x or
is a more generic problem.
More information about the samba-technical
mailing list