[BUG REPORT] smbclient in samba 2.0.10 mangles filenames.

Alan Turner alan at suburbia.com.au
Fri Jan 4 06:45:06 GMT 2002 

Hi Folks

I believe I have come across a bug in the latest version of samba in the 2.0.x
series. Report follows. If this address is a mailing list, I'd appreciated it
if I could be CCd on replies.

I hope I've got this report right :-)

Thanks for your time, and for a very useful utility!

Cheers,
Alan


1. Description
--------------

The smbclient(1) utility as shipped with samba includes a feature for
creating tar backups of remote systems via SMB.

When a file path on the remote system is exactly 99 characters long, the last
character in the path is truncated in the tar header. This can result in
several files in the tarfile with the same path.

2. Impact
---------

Based on a very quick analysis of the code, it would appear that the only data
lost is the last character of the file path. If multiple files with 99
character path lengths were unique only in the last character, then special
attention would be required to extract them from the tarfile (as other files
with the same name would overwrite them in a normal extraction).

3. Versions affected
--------------------

I have verified that the bug exists in v2.0.7 (as shipped with 
debian 2.2), and in v2.0.10. The bug appears not to exist in v2.2.2.


4. Specific Details
-------------------

The bug appears in samba-2.0.10/source/client/clitar.c, in writetarheader():


   172  static void writetarheader(int f,  char *aname, int size, time_t mtime,
   173                             char *amode, unsigned char ftype)
   174  {
   175    union hblock hb;
   176    int i, chk, l;
   177    char *jp;
   178  
   179    DEBUG(5, ("WriteTarHdr, Type = %c, Size= %i, Name = %s\n", ftype, size, aname));
   180  
   181    memset(hb.dummy, 0, sizeof(hb.dummy));
   182    
   183    l=strlen(aname);
   184    if (l >= NAMSIZ) {
   185            /* write a GNU tar style long header */
   186            char *b;
   187            b = (char *)malloc(l+TBLOCK+100);
   188            if (!b) {
   189                    DEBUG(0,("out of memory\n"));
   190                    exit(1);
   191            }
   192            writetarheader(f, "/./@LongLink", l+1, 0, "     0 \0", 'L');
   193            memset(b, 0, l+TBLOCK+100);
   194            fixtarname(b, aname, l);
   195            i = strlen(b)+1;
   196            DEBUG(5, ("File name in tar file: %s, size=%d, \n", b, (int)strlen(b)));
   197            dotarbuf(f, b, TBLOCK*(((i-1)/TBLOCK)+1));
   198            free(b);
   199    }
   200  
   201    /* use l + 1 to do the null too */
   202    fixtarname(hb.dbuf.name, aname, (l >= NAMSIZ) ? NAMSIZ : l + 1);


On line 184, a check is made to see whether a GNU tar long style header is
required to hold a file path which exceeds 99 characters. Since the file
path does not exceed 99 chars (is exactly 99 chars), a regular style tar
header is used. On line 202, the path is mangled such that is it localised
(begins with .), and conforms to unix naming conventions. 

Unfortunately, this process adds an extra character to the filename (now 
100 chars). The last character in the filename gets truncated.


5. How to reproduce
-------------------

1. Create an SMB share.

2. In the root directory of the share, create the following three files:
	
	CO2_system/XPC_driver/XPC_1_3/Interrupts/test_mjt_3_int_no_scope_xpc_rtw/test_mjt_3_int_no_scope.
	CO2_system/XPC_driver/XPC_1_3/Interrupts/test_mjt_3_int_no_scope_xpc_rtw/test_mjt_3_int_no_scope.c
	CO2_system/XPC_driver/XPC_1_3/Interrupts/test_mjt_3_int_no_scope_xpc_rtw/test_mjt_3_int_no_scope.h

3. Connect to the share using smbclient, and tar up the CO2_system directory:

	Domain=[LOCALNET] OS=[Unix] Server=[Samba 2.0.8]
	smb: \> tar c ttar.tar CO2_system
	
4. List the contents of the tarfile and note the existance of duplicate
   filenames:

   
   alan at freddy:~/samba-2.0.10/source/bin$ tar -tvf ttar.tar
   drwxr-xr-x 0/0               0 2002-01-04 15:16:50 ./CO2_system/
   drwxr-xr-x 0/0               0 2002-01-04 15:17:09 ./CO2_system/XPC_driver/
   drwxr-xr-x 0/0               0 2002-01-04 15:17:24 ./CO2_system/XPC_driver/XPC_1_3/
   drwxr-xr-x 0/0               0 2002-01-04 15:24:34 ./CO2_system/XPC_driver/XPC_1_3/Interrupts/
   drwxr-xr-x 0/0               0 2002-01-04 20:29:09 ./CO2_system/XPC_driver/XPC_1_3/Interrupts/test_mjt_3_int_no_scope_xpc_rtw/
   -rw-r--r-- 0/0            2445 2001-11-23 16:47:21 ./CO2_system/XPC_driver/XPC_1_3/Interrupts/test_mjt_3_int_no_scope_xpc_rtw/test_mjt_3_int_no_scope.
   -rw-r--r-- 0/0            2445 2002-01-04 20:29:06 ./CO2_system/XPC_driver/XPC_1_3/Interrupts/test_mjt_3_int_no_scope_xpc_rtw/test_mjt_3_int_no_scope.
   -rw-r--r-- 0/0            2445 2002-01-04 20:29:08 ./CO2_system/XPC_driver/XPC_1_3/Interrupts/test_mjt_3_int_no_scope_xpc_rtw/test_mjt_3_int_no_scope.
   -rw-r--r-- 0/0            2445 2002-01-04 20:29:09 ./CO2_system/XPC_driver/XPC_1_3/Interrupts/test_mjt_3_int_no_scope_xpc_rtw/test_mjt_3_int_no_scope.
   alan at freddy:~/samba-2.0.10/source/bin$ 
   

6. Fix
------

Since I am unfamilar with this code, I have decided to report the bug rather
than fix it myself. If the code is not being actively maintained, I
could probably write a patch. Please contact me by email if this is required.

7. Further Information
----------------------

If any further information is required, please email Alan Turner 
<alan -at- suburbia.com.au>





-- 
Alan Turner | Voice/Fax: (02) 9481 8223
Live never to be ashamed of anything you do or say.

More information about the samba mailing list