Bug found: Truncation of files during multiple simultaneous logons ....

Tue Feb 10 22:43:56 GMT 1998

Hi Samba Team,

There seems to be a bug that seems to have survived from 1.9.16p11 (that is 
as far as I went). BTW, 1.9.15p8 does not have this bit of code.

Symptom:
	- This applies to situations where there are multiple logons (sessions) to 
the same SAMBA server by the *same* user (UNIX UID). The sessions may be 
from multiple logons to the same NT client or from different clients.
	- When the user logs of from one of these sessions, files open for 
writing/modification in the other sessions are truncated.

Cause:
	- The problem has been traced to code in the 'reply_ulogoff' routine in 
reply.c. Code
	snippet between the two *** BUG *** markers

-----
int reply_ulogoffX(char *inbuf,char *outbuf,int length,int bufsize)
{
  uint16 vuid = SVAL(inbuf,smb_uid);
  user_struct *vuser = get_valid_user_struct(vuid);

  if(vuser == 0) {
    DEBUG(3,("ulogoff, vuser id %d does not map to user.\n", vuid));
  }

*** BUG ***
  /* in user level security we are supposed to close any files
     open by this user */
  if ((vuser != 0) && (lp_security() != SEC_SHARE)) {
    int i;
    for (i=0;i<MAX_OPEN_FILES;i++)
      if (Files[i].uid == vuser->uid && Files[i].open) {          <- BUG IS 
HERE !
        close_file(i,False);
      }
  }
*** BUG ***

  invalidate_vuid(vuid);

-------------------------------

	- When the user logs off from one of the logons, the NT client sends a 
SMBulogoffX to the
	SAMBA server, which then promptly, because of the offending line above, 
closes *all* files
	that this user has open on this SAMBA server.

	- Commenting this section of code, works for the most part, since the 
client does send an
	SMBclose when a program exits with open file handles (as part of the 
process termination
 	cleanup).

	- I think that this can be fixed by modifying the 'if' comparison to be 
done on 'vuid' and not 'uid'.
	That would mean an modification of the 'files_struct' structure. I am 
working on this fix (not my
	highest priority though since commenting out works for now). Can someone 
from the SAMBA
	team fix	this ? It this is the fix then it should be fairly easy for 
someone familiar with
	the code to make the changes and evaluate the ramifications elsewhere, if 
any.

Finally, a question:

	- What was the motivation for putting in this code in the first place ? A 
possible scenario that
	comes to mind is when the client dies abnormally but ... does the client 
sends a ulogoff at this
	time ? Well I would like to hear from the SAMBA gurus !!

Please let me know if you need more information.

Thanks !

Ravi

--
=======================================================
Ravi Subramaniam
Senior Software Systems Engineer,
Computing Technology, Design Technology,
Mailstop: RN4-36,                               Ph : (408)-765-3566
Intel Corp., Santa Clara,                       Email: 
rsubram at scdt.intel.com
California, 95052			        Ravi_Subramaniam at ccm.sc.intel.com
=======================================================