[SCM] Samba Shared Repository - branch master updated - 0953688012dcacca5b28a19c7a2d8393428ca151

Volker Lendecke Tue, 04 Nov 2008 00:41:56 -0800

The branch, master has been updated
       via  0953688012dcacca5b28a19c7a2d8393428ca151 (commit)
      from  d98e48c7cb5a5f2765afa874f09ec3e6cf4dd7a5 (commit)


http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 0953688012dcacca5b28a19c7a2d8393428ca151
Author: Volker Lendecke <[EMAIL PROTECTED]>
Date:   Mon Nov 3 15:25:02 2008 +0100

    Trigger (and fix) a bug in Samba3 making smbd an infinite data source
    
    A deferred open directly followed by a ulogoffX makes smbd3 send an infinite
    stream of ERRinvuid replies :-(

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/process.c           |    1 +
 source4/torture/raw/raw.c        |    1 +
 source4/torture/raw/samba3misc.c |   80 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 82 insertions(+), 0 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index 215ae20..bd0acbc 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1424,6 +1424,7 @@ static connection_struct *switch_message(uint8 type, 
struct smb_request *req, in
 
                if (!change_to_user(conn,session_tag)) {
                        reply_nterror(req, NT_STATUS_DOS(ERRSRV, ERRbaduid));
+                       remove_deferred_open_smb_message(req->mid);
                        return conn;
                }
 
diff --git a/source4/torture/raw/raw.c b/source4/torture/raw/raw.c
index 0a7fc3e..138f263 100644
--- a/source4/torture/raw/raw.c
+++ b/source4/torture/raw/raw.c
@@ -71,6 +71,7 @@ NTSTATUS torture_raw_init(void)
        torture_suite_add_simple_test(suite, "SAMBA3ROOTDIRFID",
                                      torture_samba3_rootdirfid);
        torture_suite_add_simple_test(suite, "SAMBA3CHECKFSP", 
torture_samba3_checkfsp);
+       torture_suite_add_simple_test(suite, "SAMBA3OPLOCKLOGOFF", 
torture_samba3_oplock_logoff);
        torture_suite_add_simple_test(suite, "SAMBA3BADPATH", 
torture_samba3_badpath);
        torture_suite_add_simple_test(suite, "SAMBA3CASEINSENSITIVE",
                                      torture_samba3_caseinsensitive);
diff --git a/source4/torture/raw/samba3misc.c b/source4/torture/raw/samba3misc.c
index 27b4d42..8cdccb3 100644
--- a/source4/torture/raw/samba3misc.c
+++ b/source4/torture/raw/samba3misc.c
@@ -889,3 +889,83 @@ bool torture_samba3_rootdirfid(struct torture_context 
*tctx)
        return ret;
 }
 
+bool torture_samba3_oplock_logoff(struct torture_context *tctx)
+{
+       struct smbcli_state *cli;
+       NTSTATUS status;
+       uint16_t fnum1;
+       union smb_open io;
+       const char *fname = "testfile";
+       bool ret = false;
+       struct smbcli_request *req;
+       struct smb_echo echo_req;
+
+       if (!torture_open_connection(&cli, tctx, 0)) {
+               ret = false;
+               goto done;
+       }
+
+       smbcli_unlink(cli->tree, fname);
+
+       ZERO_STRUCT(io);
+       io.generic.level = RAW_OPEN_NTCREATEX;
+       io.ntcreatex.in.flags = NTCREATEX_FLAGS_EXTENDED;
+       io.ntcreatex.in.root_fid = 0;
+       io.ntcreatex.in.security_flags = 0;
+       io.ntcreatex.in.access_mask =
+               SEC_STD_SYNCHRONIZE | SEC_FILE_EXECUTE;
+       io.ntcreatex.in.alloc_size = 0;
+       io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
+       io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_NONE;
+       io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN_IF;
+       io.ntcreatex.in.create_options = 0;
+       io.ntcreatex.in.fname = "testfile";
+       status = smb_raw_open(cli->tree, tctx, &io);
+       if (!NT_STATUS_IS_OK(status)) {
+               d_printf("first smb_open failed: %s\n", nt_errstr(status));
+               ret = false;
+               goto done;
+       }
+       fnum1 = io.ntcreatex.out.file.fnum;
+
+       /*
+        * Create a conflicting open, causing the one-second delay
+        */
+
+       req = smb_raw_open_send(cli->tree, &io);
+       if (req == NULL) {
+               d_printf("smb_raw_open_send failed\n");
+               ret = false;
+               goto done;
+       }
+
+       /*
+        * Pull the VUID from under that request. As of Nov 3, 2008 all Samba3
+        * versions (3.0, 3.2 and master) would spin sending ERRinvuid errors
+        * as long as the client is still connected.
+        */
+
+       status = smb_raw_ulogoff(cli->session);
+
+       if (!NT_STATUS_IS_OK(status)) {
+               d_printf("ulogoff failed: %s\n", nt_errstr(status));
+               ret = false;
+               goto done;
+       }
+
+       echo_req.in.repeat_count = 1;
+       echo_req.in.size = 1;
+       echo_req.in.data = (uint8_t *)"";
+
+       status = smb_raw_echo(cli->session->transport, &echo_req);
+       if (!NT_STATUS_IS_OK(status)) {
+               d_printf("smb_raw_echo returned %s\n",
+                        nt_errstr(status));
+               ret = false;
+               goto done;
+       }
+
+       ret = true;
+ done:
+       return ret;
+}


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated - 0953688012dcacca5b28a19c7a2d8393428ca151

Reply via email to