[PATCH] Bunch of options for vfs_fileid
Jeremy Allison
jra at samba.org
Sat Jan 6 19:45:32 UTC 2018
On Sat, Jan 06, 2018 at 04:33:03PM +0100, Ralph Böhme via samba-technical wrote:
> Hi Christian,
>
> On Sat, Jan 06, 2018 at 08:53:01AM +0100, Christian Ambach wrote:
> > > + char hostname[HOST_NAME_MAX+1];
> > [...]
> > > +
> > > + rc = gethostname(hostname, HOST_NAME_MAX+1);
> > > + if (rc != 0) {
> > > + DBG_ERR("gethostname failed\n");
> > > + return UINT64_MAX;
> > > + }
> > man gethostname on Linux notes a discrepancy between Linux and POSIX:
> > in POSIX gethostname is allowed to return up to 255 characters, while
> > HOST_NAME_MAX is just 64 characters on Linux. Not sure how this looks
> > like on other platforms. Maybe it makes more sense to use an array of
> > size 256 to be on the safe side?
>
> Why? As long as the array size matches the size passed to gethostname()
> everything's fine.
>
> > The error path that returns the same number for all devices might be
> > problematic too, as it will then generate the same fileid for files
> > with the same inode number on different filesystems.
>
> Yeah, that's a bit problematic in theory. In practice, afaict gethostname() will
> only fail if the passed in buffer size is too small, but this can't happen when
> using HOST_NAME_MAX.
>
> > > + TALLOC_FREE(devname);
> > > +
> > > + id = fileid_uint64_hash((uint8_t *)devname, devname_len);
> >
> > Isn't this a use-after-free?
>
> You bet it is. Damn! Thanks for catching this. Patch attached.
Ralph I'm sorry, I missed that ! I'll add this on top.
> --
> Ralph Boehme, Samba Team https://samba.org/
> Samba Developer, SerNet GmbH https://sernet.de/en/samba/
> From e05f315cb4fd93ec2924a0d528f90bc601445a8e Mon Sep 17 00:00:00 2001
> From: Ralph Boehme <slow at samba.org>
> Date: Sat, 6 Jan 2018 16:13:52 +0100
> Subject: [PATCH] vfs_fileid: fix a use after free
>
> Signed-off-by: Ralph Boehme <slow at samba.org>
> ---
> source3/modules/vfs_fileid.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/source3/modules/vfs_fileid.c b/source3/modules/vfs_fileid.c
> index 98cc32d62d5..c890876c998 100644
> --- a/source3/modules/vfs_fileid.c
> +++ b/source3/modules/vfs_fileid.c
> @@ -233,9 +233,11 @@ static uint64_t fileid_device_mapping_hostname(struct fileid_handle_data *data,
> return UINT64_MAX;
> }
> devname_len = talloc_array_length(devname) - 1;
> - TALLOC_FREE(devname);
>
> id = fileid_uint64_hash((uint8_t *)devname, devname_len);
> +
> + TALLOC_FREE(devname);
> +
> return id;
> }
>
> --
> 2.13.6
>
More information about the samba-technical
mailing list