Duplicate SMB file_ids leading to Windows client cache poisoning

Tom Talpey tom at talpey.com
Thu Dec 9 21:14:23 UTC 2021 

On 12/9/2021 3:40 PM, Andrew Walker wrote:
> 
> 
> On Thu, Dec 9, 2021 at 3:28 PM Tom Talpey via samba-technical 
> <samba-technical at lists.samba.org 
> <mailto:samba-technical at lists.samba.org>> wrote:
> 
>     On 12/9/2021 1:58 PM, Ralph Boehme wrote:
>      > Hi Tom,
>      >
>      > On 12/9/21 19:48, Tom Talpey wrote:
>      >> I really think you need a bulletproof mathematically correct
>      >> uniqueid generator here.
>      >
>      > Patches welcome. :)))
>      >
>      > I guess all we can get is an approximation.
> 
>     But, the penalty for a collision is data corruption! It's unacceptable
>     to wing it.
> 
>     Can't TDB help here? Stuff a number into the database and save it.
>     Increment it by one for each new fileid needed.
> 
>     Carve out a hundred, or a thousand, so you don't have to do a
>     transaction every new handle. Increment that by the carveout for
>     the next call. 64 bits will last you forever, so you could even
>     use it across server restart.
> 
>     Make it fancier, if monotonicity is too easily forged, or misused.
> 
>     Tom.
> 
> Tom,
> 
> I was glancing through MS-SMB and noticed that it states that file ids 
> must be unique, but may be re-used if the file is deleted. 
> https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb/44c3cf8d-0931-4923-8fdc-738537ba70ba 

Death to SMB1. I dearly hope we're talking about SMB2/SMB3 here.

The SMB2_FILEID is a 2-part structure, 64 bits for each handle (id):
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/f1d9b40d-e335-45fc-9d0b-199a31ede4c3

SMB2 and SMB3 allow recovery of these after a disconnect, in certain
cases. So it's more complex.

> Is that not the case? Or maybe discouraged?

SMB1 loses all context on disconnect, so the fileid's are toast along
with the rest of the session state.

> Out of curiosity, why can't we use device/inode?

Device and inode simply map to the underlying file object (and they
may not be perfectly stable depending on implementation too). The
SMB2_FILEID conveys the handles which map the state of the "open";
this includes much more than the underlying file and its cached
contents.

I'm pretty sure the Windows SMB2/3 server just bumps a counter for
the volatile id's. Don't recall if or when it recycles.

Tom.

More information about the samba-technical mailing list