The branch, master has been updated via 5ab7725 s3:net: new implementation of "servid wipedbs" with smbXsrv_* via d8dd0ec lib/util_tdb: factor out tdb_data_talloc_copy() via d23f19a s3:smbXsrv_open: add smbXsrv_open_global_traverse() via 60721a3 s3:smbXsrv_tcon: pass record in smbXsrv_tcon_global_traverse() via 93e22bb s3:smbXsrv_session: pass record in smbXsrv_session_global_traverse() from bdb80ae s3:smbd:smb2: fix segfault (access after free) in durable disconnect code
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 5ab77259746ef3811a64f6c7880ae2263d512c16 Author: Gregor Beck <gb...@sernet.de> Date: Thu Dec 13 13:00:28 2012 +0100 s3:net: new implementation of "servid wipedbs" with smbXsrv_* Signed-off-by: Gregor Beck <gb...@sernet.de> Reviewed-by: Michael Adam <ob...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Michael Adam <ob...@samba.org> Autobuild-Date(master): Tue Feb 19 13:56:57 CET 2013 on sn-devel-104 commit d8dd0ecc484ccc0c3450c3e96725e56e8bf1a9ef Author: Gregor Beck <gb...@sernet.de> Date: Thu Jan 10 11:09:09 2013 +0100 lib/util_tdb: factor out tdb_data_talloc_copy() Signed-off-by: Gregor Beck <gb...@sernet.de> Reviewed-by: Michael Adam <ob...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit d23f19ab00314d773edb07a45e754365db378668 Author: Gregor Beck <gb...@sernet.de> Date: Wed Dec 12 16:06:50 2012 +0100 s3:smbXsrv_open: add smbXsrv_open_global_traverse() Signed-off-by: Gregor Beck <gb...@sernet.de> Reviewed-by: Michael Adam <ob...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 60721a378240cb08e3f2ac0a1de14df5c9130010 Author: Gregor Beck <gb...@sernet.de> Date: Thu Dec 13 15:27:07 2012 +0100 s3:smbXsrv_tcon: pass record in smbXsrv_tcon_global_traverse() Signed-off-by: Gregor Beck <gb...@sernet.de> Reviewed-by: Michael Adam <ob...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 93e22bb1c401b423b0242e6923b8e7944f793b3f Author: Gregor Beck <gb...@sernet.de> Date: Thu Dec 13 15:26:49 2012 +0100 s3:smbXsrv_session: pass record in smbXsrv_session_global_traverse() Signed-off-by: Gregor Beck <gb...@sernet.de> Reviewed-by: Michael Adam <ob...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: lib/util/util_tdb.c | 15 + lib/util/util_tdb.h | 1 + source3/smbd/globals.h | 4 + source3/smbd/smbXsrv_open.c | 73 +++++ source3/smbd/smbXsrv_session.c | 1 + source3/smbd/smbXsrv_tcon.c | 1 + source3/utils/net_idmap_check.c | 23 +-- source3/utils/net_serverid.c | 566 ++++++++++++++++++++++++++++++++++++++- 8 files changed, 663 insertions(+), 21 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/util/util_tdb.c b/lib/util/util_tdb.c index c005c82..93df958 100644 --- a/lib/util/util_tdb.c +++ b/lib/util/util_tdb.c @@ -63,6 +63,21 @@ TDB_DATA string_term_tdb_data(const char *string) return make_tdb_data((const uint8_t *)string, string ? strlen(string) + 1 : 0); } +TDB_DATA tdb_data_talloc_copy(TALLOC_CTX* mem_ctx, TDB_DATA data) { + TDB_DATA ret = { + .dptr = (uint8_t *)talloc_size(mem_ctx, data.dsize+1), + .dsize = data.dsize + }; + if (ret.dptr == NULL) { + ret.dsize = 0; + } else { + memcpy(ret.dptr, data.dptr, data.dsize); + ret.dptr[ret.dsize] = '\0'; + } + return ret; +} + + /**************************************************************************** Lock a chain by string. Return non-zero if lock failed. ****************************************************************************/ diff --git a/lib/util/util_tdb.h b/lib/util/util_tdb.h index d8a2333..630bdf6 100644 --- a/lib/util/util_tdb.h +++ b/lib/util/util_tdb.h @@ -30,6 +30,7 @@ bool tdb_data_equal(TDB_DATA t1, TDB_DATA t2); bool tdb_data_is_empty(TDB_DATA d); TDB_DATA string_tdb_data(const char *string); TDB_DATA string_term_tdb_data(const char *string); +TDB_DATA tdb_data_talloc_copy(TALLOC_CTX* mem_ctx, TDB_DATA data); /**************************************************************************** Lock a chain by string. Return non-zero if lock failed. diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h index 6ead962..90e9ab4 100644 --- a/source3/smbd/globals.h +++ b/source3/smbd/globals.h @@ -457,6 +457,10 @@ NTSTATUS smb2srv_open_recreate(struct smbXsrv_connection *conn, struct GUID create_guid, NTTIME now, struct smbXsrv_open **_open); +struct smbXsrv_open_global0; +NTSTATUS smbXsrv_open_global_traverse( + int (*fn)(struct smbXsrv_open_global0 *, void *), + void *private_data); struct smbd_smb2_request { struct smbd_smb2_request *prev, *next; diff --git a/source3/smbd/smbXsrv_open.c b/source3/smbd/smbXsrv_open.c index be39cbc..2c2798b 100644 --- a/source3/smbd/smbXsrv_open.c +++ b/source3/smbd/smbXsrv_open.c @@ -1277,3 +1277,76 @@ NTSTATUS smb2srv_open_recreate(struct smbXsrv_connection *conn, *_open = op; return NT_STATUS_OK; } + + +struct smbXsrv_open_global_traverse_state { + int (*fn)(struct smbXsrv_open_global0 *, void *); + void *private_data; +}; + +static int smbXsrv_open_global_traverse_fn(struct db_record *rec, void *data) +{ + int ret = -1; + struct smbXsrv_open_global_traverse_state *state = + (struct smbXsrv_open_global_traverse_state*)data; + TDB_DATA key = dbwrap_record_get_key(rec); + TDB_DATA val = dbwrap_record_get_value(rec); + DATA_BLOB blob = data_blob_const(val.dptr, val.dsize); + struct smbXsrv_open_globalB global_blob; + enum ndr_err_code ndr_err; + TALLOC_CTX *frame = talloc_stackframe(); + + ndr_err = ndr_pull_struct_blob(&blob, frame, &global_blob, + (ndr_pull_flags_fn_t)ndr_pull_smbXsrv_open_globalB); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + DEBUG(1,("Invalid record in smbXsrv_open_global.tdb:" + "key '%s' ndr_pull_struct_blob - %s\n", + hex_encode_talloc(frame, key.dptr, key.dsize), + ndr_errstr(ndr_err))); + goto done; + } + + if (global_blob.version != SMBXSRV_VERSION_0) { + DEBUG(1,("Invalid record in smbXsrv_open_global.tdb:" + "key '%s' unsuported version - %d\n", + hex_encode_talloc(frame, key.dptr, key.dsize), + (int)global_blob.version)); + goto done; + } + + global_blob.info.info0->db_rec = rec; + ret = state->fn(global_blob.info.info0, state->private_data); +done: + TALLOC_FREE(frame); + return ret; +} + +NTSTATUS smbXsrv_open_global_traverse( + int (*fn)(struct smbXsrv_open_global0 *, void *), + void *private_data) +{ + + NTSTATUS status; + int count = 0; + struct smbXsrv_open_global_traverse_state state = { + .fn = fn, + .private_data = private_data, + }; + + become_root(); + status = smbXsrv_open_global_init(); + if (!NT_STATUS_IS_OK(status)) { + unbecome_root(); + DEBUG(0, ("Failed to initialize open_global: %s\n", + nt_errstr(status))); + return status; + } + + status = dbwrap_traverse_read(smbXsrv_open_global_db_ctx, + smbXsrv_open_global_traverse_fn, + &state, + &count); + unbecome_root(); + + return status; +} diff --git a/source3/smbd/smbXsrv_session.c b/source3/smbd/smbXsrv_session.c index f3072ee..017880c 100644 --- a/source3/smbd/smbXsrv_session.c +++ b/source3/smbd/smbXsrv_session.c @@ -1560,6 +1560,7 @@ static int smbXsrv_session_global_traverse_fn(struct db_record *rec, void *data) goto done; } + global_blob.info.info0->db_rec = rec; ret = state->fn(global_blob.info.info0, state->private_data); done: TALLOC_FREE(frame); diff --git a/source3/smbd/smbXsrv_tcon.c b/source3/smbd/smbXsrv_tcon.c index 49da84d..b6e2058 100644 --- a/source3/smbd/smbXsrv_tcon.c +++ b/source3/smbd/smbXsrv_tcon.c @@ -1200,6 +1200,7 @@ static int smbXsrv_tcon_global_traverse_fn(struct db_record *rec, void *data) goto done; } + global_blob.info.info0->db_rec = rec; ret = state->fn(global_blob.info.info0, state->private_data); done: TALLOC_FREE(frame); diff --git a/source3/utils/net_idmap_check.c b/source3/utils/net_idmap_check.c index 4174238..e75c890 100644 --- a/source3/utils/net_idmap_check.c +++ b/source3/utils/net_idmap_check.c @@ -42,7 +42,6 @@ static int traverse_check(struct db_record *rec, void* data); /* TDB_DATA *******************************************************************/ static char* print_data(TALLOC_CTX* mem_ctx, TDB_DATA d); static TDB_DATA parse_data(TALLOC_CTX* mem_ctx, const char** ptr); -static TDB_DATA talloc_copy(TALLOC_CTX* mem_ctx, TDB_DATA data); /* record *********************************************************************/ @@ -325,7 +324,7 @@ static int add_record(struct check_ctx* ctx, TDB_DATA key, TDB_DATA value) diff = unpack_diff(recvalue); talloc_free(diff.nval.dptr); } - diff.nval = talloc_copy(ctx->diff, value); + diff.nval = tdb_data_talloc_copy(ctx->diff, value); DEBUG_DIFF(2, mem, "TDB DIFF", key, diff.oval, diff.nval); @@ -355,7 +354,7 @@ fetch_record(struct check_ctx* ctx, TALLOC_CTX* mem_ctx, TDB_DATA key) if (NT_STATUS_IS_OK(status)) { TDB_DATA_diff diff = unpack_diff(tmp); - TDB_DATA ret = talloc_copy(mem_ctx, diff.nval); + TDB_DATA ret = tdb_data_talloc_copy(mem_ctx, diff.nval); talloc_free(tmp.dptr); return ret; } @@ -548,20 +547,6 @@ void adjust_hwm(struct check_ctx* ctx, const struct record* r) { } } -TDB_DATA talloc_copy(TALLOC_CTX* mem_ctx, TDB_DATA data) { - TDB_DATA ret = { - .dptr = (uint8_t *)talloc_size(mem_ctx, data.dsize+1), - .dsize = data.dsize - }; - if (ret.dptr == NULL) { - ret.dsize = 0; - } else { - memcpy(ret.dptr, data.dptr, data.dsize); - ret.dptr[ret.dsize] = '\0'; - } - return ret; -} - static bool is_cstr(TDB_DATA str) { return !tdb_data_is_empty(str) && str.dptr[str.dsize-1] == '\0'; } @@ -603,8 +588,8 @@ parse_record(TALLOC_CTX* mem_ctx, TDB_DATA key, TDB_DATA val) DEBUG(0, ("Out of memory.\n")); return NULL; } - ret->key = talloc_copy(ret, key); - ret->val = talloc_copy(ret, val); + ret->key = tdb_data_talloc_copy(ret, key); + ret->val = tdb_data_talloc_copy(ret, val); if ((ret->key.dptr == NULL && key.dptr != NULL) || (ret->val.dptr == NULL && val.dptr != NULL)) { diff --git a/source3/utils/net_serverid.c b/source3/utils/net_serverid.c index 2d25ba7..90448c1 100644 --- a/source3/utils/net_serverid.c +++ b/source3/utils/net_serverid.c @@ -20,9 +20,12 @@ #include "includes.h" #include "utils/net.h" #include "dbwrap/dbwrap.h" +#include "dbwrap/dbwrap_rbt.h" #include "serverid.h" #include "session.h" #include "lib/conn_tdb.h" +#include "smbd/globals.h" +#include "util_tdb.h" static int net_serverid_list_fn(const struct server_id *id, uint32_t msg_flags, void *priv) @@ -66,11 +69,570 @@ static int net_serverid_wipe(struct net_context *c, int argc, return serverid_traverse(net_serverid_wipe_fn, NULL) ? 0 : -1; } + +struct wipedbs_record_marker { + struct wipedbs_record_marker *prev, *next; + TDB_DATA key, val; + const char *desc; +}; + +struct wipedbs_server_data { + struct server_id server_id; + const char *server_id_str; + bool exists; + struct wipedbs_record_marker *session_records; + struct wipedbs_record_marker *tcon_records; + struct wipedbs_record_marker *open_records; +}; + +struct wipedbs_state { + struct db_context *id2server_data; + struct { + struct { + int total; + int existing; + int disconnected; + } server; + struct { + int total; + int disconnected; + int todelete; + int failure; + } session, tcon, open; + int open_timed_out; + } stat; + struct server_id *server_ids; + bool *server_exists; + int idx; + struct db_context *session_db; + struct db_context *tcon_db; + struct db_context *open_db; + struct timeval now; + bool testmode; + bool verbose; +}; + +static struct wipedbs_server_data *get_server_data(struct wipedbs_state *state, + const struct server_id *id) +{ + struct wipedbs_server_data *ret = NULL; + TDB_DATA key, val = tdb_null; + NTSTATUS status; + + key = make_tdb_data((const void*)&id->unique_id, sizeof(id->unique_id)); + status = dbwrap_fetch(state->id2server_data, talloc_tos(), key, &val); + if (NT_STATUS_IS_OK(status)) { + ret = *(struct wipedbs_server_data**) val.dptr; + TALLOC_FREE(val.dptr); + } else if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) { + ret = talloc_zero(state->id2server_data, + struct wipedbs_server_data); + if (ret == NULL) { + DEBUG(0, ("Failed to allocate server entry for %s\n", + server_id_str(talloc_tos(), id))); + goto done; + } + ret->server_id = *id; + ret->server_id_str = server_id_str(ret, id); + ret->exists = true; + val = make_tdb_data((const void*)&ret, sizeof(ret)); + status = dbwrap_store(state->id2server_data, + key, val, TDB_INSERT); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to store server entry for %s: %s\n", + server_id_str(talloc_tos(), id), + nt_errstr(status))); + } + goto done; + } else { + DEBUG(0, ("Failed to fetch server entry for %s: %s\n", + server_id_str(talloc_tos(), id), nt_errstr(status))); + goto done; + } + if (!server_id_equal(id, &ret->server_id)) { + DEBUG(0, ("uniq id collision for %s and %s\n", + server_id_str(talloc_tos(), id), + server_id_str(talloc_tos(), &ret->server_id))); + smb_panic("server_id->unique_id not unique!"); + } +done: + return ret; +} + +static int wipedbs_traverse_sessions(struct smbXsrv_session_global0 *session, + void *wipedbs_state) +{ + struct wipedbs_state *state = + talloc_get_type_abort(wipedbs_state, + struct wipedbs_state); + struct wipedbs_server_data *sd; + struct wipedbs_record_marker *rec; + TDB_DATA tmp; + int ret = -1; + + assert(session->num_channels == 1); + + state->stat.session.total++; + + sd = get_server_data(state, &session->channels[0].server_id); + if (sd == NULL) { + goto done; + } + + if (server_id_is_disconnected(&sd->server_id)) { + state->stat.session.disconnected++; + } + + rec = talloc_zero(sd, struct wipedbs_record_marker); + if (rec == NULL) { + DEBUG(0, ("Out of memory!\n")); + goto done; + } + + tmp = dbwrap_record_get_key(session->db_rec); + rec->key = tdb_data_talloc_copy(rec, tmp); + tmp = dbwrap_record_get_value(session->db_rec); + rec->val = tdb_data_talloc_copy(rec, tmp); + + rec->desc = talloc_asprintf( + rec, "session[global: %u wire: %lu]", + session->session_global_id, session->session_wire_id); + + if ((rec->key.dptr == NULL) || (rec->val.dptr == NULL) || + (rec->desc == NULL)) + { + DEBUG(0, ("Out of memory!\n")); + goto done; + } + + state->session_db = dbwrap_record_get_db(session->db_rec); + + DLIST_ADD(sd->session_records, rec); + ret = 0; +done: + return ret; +} + +static int wipedbs_traverse_tcon(struct smbXsrv_tcon_global0 *tcon, + void *wipedbs_state) +{ + struct wipedbs_state *state = + talloc_get_type_abort(wipedbs_state, + struct wipedbs_state); + struct wipedbs_server_data *sd; + struct wipedbs_record_marker *rec; + TDB_DATA tmp; + int ret = -1; + + state->stat.tcon.total++; + + sd = get_server_data(state, &tcon->server_id); + if (sd == NULL) { + goto done; + } + + if (server_id_is_disconnected(&sd->server_id)) { + state->stat.tcon.disconnected++; + } + + rec = talloc_zero(sd, struct wipedbs_record_marker); + if (rec == NULL) { + DEBUG(0, ("Out of memory!\n")); + goto done; + } + + tmp = dbwrap_record_get_key(tcon->db_rec); + rec->key = tdb_data_talloc_copy(rec, tmp); + tmp = dbwrap_record_get_value(tcon->db_rec); + rec->val = tdb_data_talloc_copy(rec, tmp); + + rec->desc = talloc_asprintf( + rec, "tcon[global: %u wire: %u session: %u share: %s]", + tcon->tcon_global_id, tcon->tcon_wire_id, + tcon->session_global_id, tcon->share_name); + + if ((rec->key.dptr == NULL) || (rec->val.dptr == NULL) || + (rec->desc == NULL)) + { + DEBUG(0, ("Out of memory!\n")); + goto done; + } + + state->tcon_db = dbwrap_record_get_db(tcon->db_rec); + + DLIST_ADD(sd->tcon_records, rec); + ret = 0; + +done: + return ret; +} + +static int wipedbs_traverse_open(struct smbXsrv_open_global0 *open, + void *wipedbs_state) +{ + struct wipedbs_state *state = + talloc_get_type_abort(wipedbs_state, + struct wipedbs_state); + struct wipedbs_server_data *sd; + struct wipedbs_record_marker *rec; + TDB_DATA tmp; + int ret = -1; + + state->stat.open.total++; + + sd = get_server_data(state, &open->server_id); + if (sd == NULL) { + goto done; + } + + if (server_id_is_disconnected(&sd->server_id)) { + struct timeval disconnect_time; + int64_t tdiff; + bool reached; + + state->stat.open.disconnected++; + + nttime_to_timeval(&disconnect_time, open->disconnect_time); + tdiff = usec_time_diff(&state->now, &disconnect_time); + reached = (tdiff >= 1000*open->durable_timeout_msec); + + if (state->verbose) { + TALLOC_CTX *mem_ctx = talloc_new(talloc_tos()); + d_printf("open[global: %u] disconnected at " + "[%s] %us ago with timeout of %us " + "-%s reached\n", + open->open_global_id, + nt_time_string(mem_ctx, open->disconnect_time), + (unsigned)(tdiff/1000000), + open->durable_timeout_msec / 1000, + reached ? "" : " not"); + talloc_free(mem_ctx); + } + + if (!reached) { + ret = 0; + goto done; + } + state->stat.open_timed_out++; + } + + rec = talloc_zero(sd, struct wipedbs_record_marker); + if (rec == NULL) { + DEBUG(0, ("Out of memory!\n")); + goto done; + } + + tmp = dbwrap_record_get_key(open->db_rec); + rec->key = tdb_data_talloc_copy(rec, tmp); + tmp = dbwrap_record_get_value(open->db_rec); + rec->val = tdb_data_talloc_copy(rec, tmp); + + rec->desc = talloc_asprintf( -- Samba Shared Repository