[PATCH] Bunch of options for vfs_fileid

Ralph Böhme slow at samba.org
Sat Jan 6 15:33:03 UTC 2018 

Hi Christian,

On Sat, Jan 06, 2018 at 08:53:01AM +0100, Christian Ambach wrote:
> > +	char hostname[HOST_NAME_MAX+1];
> [...]
> > +
> > +	rc = gethostname(hostname, HOST_NAME_MAX+1);
> > +	if (rc != 0) {
> > +		DBG_ERR("gethostname failed\n");
> > +		return UINT64_MAX;
> > +	}
> man gethostname on Linux notes a discrepancy between Linux and POSIX:
> in POSIX gethostname is allowed to return up to 255 characters, while
> HOST_NAME_MAX is just 64 characters on Linux. Not sure how this looks
> like on other platforms. Maybe it makes more sense to use an array of
> size 256 to be on the safe side?

Why? As long as the array size matches the size passed to gethostname()
everything's fine.

> The error path that returns the same number for all devices might be
> problematic too, as it will then generate the same fileid for files
> with the same inode number on different filesystems.

Yeah, that's a bit problematic in theory. In practice, afaict gethostname() will
only fail if the passed in buffer size is too small, but this can't happen when
using HOST_NAME_MAX.

> > +	TALLOC_FREE(devname);
> > +
> > +	id = fileid_uint64_hash((uint8_t *)devname, devname_len);
> 
> Isn't this a use-after-free?

You bet it is. Damn! Thanks for catching this. Patch attached.

-slow

-- 
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
-------------- next part --------------
From e05f315cb4fd93ec2924a0d528f90bc601445a8e Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Sat, 6 Jan 2018 16:13:52 +0100
Subject: [PATCH] vfs_fileid: fix a use after free

Signed-off-by: Ralph Boehme <slow at samba.org>
---
 source3/modules/vfs_fileid.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/source3/modules/vfs_fileid.c b/source3/modules/vfs_fileid.c
index 98cc32d62d5..c890876c998 100644
--- a/source3/modules/vfs_fileid.c
+++ b/source3/modules/vfs_fileid.c
@@ -233,9 +233,11 @@ static uint64_t fileid_device_mapping_hostname(struct fileid_handle_data *data,
 		return UINT64_MAX;
 	}
 	devname_len = talloc_array_length(devname) - 1;
-	TALLOC_FREE(devname);
 
 	id = fileid_uint64_hash((uint8_t *)devname, devname_len);
+
+	TALLOC_FREE(devname);
+
 	return id;
 }
 
-- 
2.13.6

More information about the samba-technical mailing list