[PATCH] Fix nasty vfs_fruit bug 13646

Jeremy Allison jra at samba.org
Wed Oct 31 19:39:41 UTC 2018 

On Wed, Oct 31, 2018 at 04:15:37PM +0100, Ralph Böhme via samba-technical wrote:
> > 
> > PATCH 28/34] vfs_fruit: prepare fruit_pread_meta() for reading on fake-fd
> > 
> > in this hunk:
> > 
> > +       if (nread == -1 && fio->created) {
> > +               AfpInfo *ai = NULL;
> > +               char afpinfo_buf[AFP_INFO_SIZE];
> > +
> > +               ai = afpinfo_new(talloc_tos());
> > +               if (ai == NULL) {
> > +                       return -1;
> > +               }
> > +
> > +               nread = afpinfo_pack(ai, afpinfo_buf);
> > +               TALLOC_FREE(ai);
> > +               if (nread != AFP_INFO_SIZE) {
> > +                       return -1;
> > +               }
> > +
> > +               memcpy(data, afpinfo_buf, to_return);
> > +               return nread;
> > +       }
> > 
> > 'to_return' is not defined here. I think the last
> > lines shoud read:
> > 
> > +               nread = MIN(n, nread);
> > +               memcpy(data, afpinfo_buf, nread);
> > +               return nread;
> > +       }
> > 
> > can you confirm ?
> 
> you just have to apply the other fruit patchset from the list in the correct
> order, then it works. :) Sorry...
> 
> Attached is a patchset with the patches for bugs 13642 and 13646 combined.

Sorry Ralph but I think that this:

 Subject: [PATCH 36/42] vfs_fruit: prepare fruit_pread_meta() for reading on fake-fd

is still wrong. In fruit_pread_meta() the requested
amount to be read is size_t n into void *data.

Inside fruit_pread_meta() we have:

        to_return = MIN(n, AFP_INFO_SIZE);

so to_return is now the correct amount to be
returned  - allowing for the fact the caller
might have asked for less than AFP_INFO_SIZE.

However your patch does:

+       if (nread == -1 && fio->created) {
+               AfpInfo *ai = NULL;
+               char afpinfo_buf[AFP_INFO_SIZE];
+
+               ai = afpinfo_new(talloc_tos());
+               if (ai == NULL) {
+                       return -1;
+               }
+
+               nread = afpinfo_pack(ai, afpinfo_buf);
+               TALLOC_FREE(ai);
+               if (nread != AFP_INFO_SIZE) {
+                       return -1;
+               }
+
+               memcpy(data, afpinfo_buf, to_return);
+               return nread;
+       }

Which will return nread == AFP_INFO_SIZE *even
if the caller asked for *less* (remember, to_read
is MIN(n, AFP_INFO_SIZE)) !

This should instead be:

		return to_return;

as that is the amount we just copied into data, and
may be less than nread.

If you agree with this fix, LGTM.

Jeremy.

More information about the samba-technical mailing list