[Samba] smbd - wide links / possible buffer failure??

tw tw at adog.de
Tue May 20 20:12:24 GMT 2003


Hello there,

sorry - my first mail seems to be lost?

Might be I am wrong, but it seems that the behavior of wide link option 
has been changed since 2.2.7. So we have some problems on our large side 
to upgrade to 2.2.8a. Here is what I found, but it may be not the 
intention of samba developer!

There ist a new function called readlink_checkin smbd/vfs.c. In this 
function is a pattern compare to guarantee that a symbolic link is not 
ouside a share.So far - so good.

But in my opinion it would be better to check if the physical location 
and not the logical path of the link to the destination. In case that 
you have some necessary compatibilty links on the system, samba is not 
able to follow that link. And I think (hopefully right) that it is also 
safe to check the physical way - unstead the link path.

I've got I a alternative to solve this behavior, if the intention is not 
the right one - please ignore this request, if so fill free to use this 
patch.

And also a bzero call resets the buffer to zero which can be undefined 
after the readlink call, in spacial circumstances the strncmp and also 
the DEBUG/TRACE might be result in a NULL Pointer or segmentation failure??

regards

- Thomas Wild

This patch looks first whether the destination of link is available and 
than it gets the real physical path and after that it continous with 
pattern compares of the the physical location. It also fixes a undefined 
buffer (flink) using (I hope) ... the patch was tested .. but no warranty!


--- vfs.c,o     Wed Feb  5 17:25:48 2003
+++ vfs.c       Mon May 19 16:10:14 2003
@@ -740,6 +740,7 @@
                 realdir[reallen] = 0;
         }

+        bzero( flink, sizeof(flink) );
         if (conn->vfs_ops.readlink(conn, name, flink, sizeof(pstring) 
-1) != -1) {
                 DEBUG(3,("reduce_name: file path name %s is a 
symlink\nChecking it's path\n", name));
                 if (*flink == '/') {
@@ -750,6 +751,24 @@
                         pstrcat(cleanlink, flink);
                 }
                 unix_clean_name(cleanlink);
+
+               if (!vfs_GetWd(conn,savedir)) {
+                       DEBUG(0,("couldn't vfs_GetWd for %s 
%s\n",name,cleanlink));
+                       return(False);
+               }
+
+               if (vfs_ChDir(conn,cleanlink) != 0) {
+                       DEBUG(0,("couldn't vfs_ChDir to %s\n",cleanlink));
+                       return(False);
+               }
+
+               if (!vfs_GetWd(conn,cleanlink)) {
+                       DEBUG(0,("couldn't vfs_GetWd for %s\n",cleanlink));
+                       vfs_ChDir(conn,savedir);
+                       return(False);
+               }
+
+               DEBUG(0,("real share path : [%s], real destination pfad 
[%s]\n",realdir,cleanlink));

                 if (strncmp(cleanlink, realdir, reallen) != 0) { 
                  			DEBUG(2,("Bad access attempt? s=%s dir=%s 		 		 
newname=%s l=%d\n", name, realdir, cleanlink,(int)reallen));




-- 
Thomas Wild

Telephones do not have constitutional rights to be accepted!
   - It's better to send me an Email ...




More information about the samba mailing list