The branch, v4-0-test has been updated via ed22de6 check_parent_exists() can change errno. Ensure we preserve it across calls. via a752308 Fix bug #9822 - Samba crashing during Win8 sync. via e83dc71 Remove dependency on detection of HAVE_DIRFD for use of fdopendir(). via 93d866e Remove the "Ugly hack" that was the second use of dirfd(). via 44d4728 In the struct smb_Dir destructor, use the fsp back pointer to release resources. via ecdcb62 Maintain a back-pointer to the fsp in struct smb_Dir when opening with FDOPENDIR. via 2a09b5d winbind4: Fix bug 9832 -- talloc use after free via 973bbc4 auth/ntlmssp: Avoid use-after-free of user_info after logon failure at log level 5 from ae3aa28 BUG 9817: Fix 'map untrusted to domain' with NTLMv2.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test - Log ----------------------------------------------------------------- commit ed22de6479971421b8e32188bfea4521a5f1c0cc Author: Anand Avati <av...@redhat.com> Date: Mon Apr 29 15:21:00 2013 -0700 check_parent_exists() can change errno. Ensure we preserve it across calls. Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Volker Lendecke <v...@samba.org> Autobuild-User(master): Volker Lendecke <v...@samba.org> Autobuild-Date(master): Tue Apr 30 11:00:11 CEST 2013 on sn-devel-104 (cherry picked from commit 7e807934e6550308efed814a20ce6d6dabbad557) Fix bug #9833 - Function called in unix_convert() path can overwrite errno. Autobuild-User(v4-0-test): Karolin Seeger <ksee...@samba.org> Autobuild-Date(v4-0-test): Tue May 7 10:32:43 CEST 2013 on sn-devel-104 commit a752308b89677d571300487858ba2509fe37ee6d Author: Jeremy Allison <j...@samba.org> Date: Fri Apr 26 10:47:41 2013 -0700 Fix bug #9822 - Samba crashing during Win8 sync. When refactoring the dptr desctructor in the fix for bug: 9778 (Samba directory code uses dirfd() without vectoring through a VFS call) I removed the code to NULL out the struct smb_Dir * pointer inside the fsp struct by mistake. Re-add the NULLing out of that pointer when closing a directory pointer associated with an open file. Reporter confirms it fixes the crash. Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: David Disseldorp <dd...@samba.org> Autobuild-User(master): David Disseldorp <dd...@samba.org> Autobuild-Date(master): Sat Apr 27 20:44:55 CEST 2013 on sn-devel-104 (cherry picked from commit 251767cde9a146d8122d76e257ab232c05ad452a) commit e83dc714d5f773d8c9c08aa9bedc3f31cea7a137 Author: Jeremy Allison <j...@samba.org> Date: Wed Apr 10 16:30:10 2013 -0700 Remove dependency on detection of HAVE_DIRFD for use of fdopendir(). Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org> Autobuild-Date(master): Fri Apr 12 16:21:10 CEST 2013 on sn-devel-104 (cherry picked from commit 7a4dd845958f1411daa8031ca242987001ab2f26) commit 93d866e0dc5b968b442b24d7f00e304b4056a928 Author: Jeremy Allison <j...@samba.org> Date: Wed Apr 10 16:29:03 2013 -0700 Remove the "Ugly hack" that was the second use of dirfd(). The destructor does all the resource deallocation needed. Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit 0fe894fb89f4867e266bb04670a58101311e0234) commit 44d47283133f1564b736540dc724473d2bd08416 Author: Jeremy Allison <j...@samba.org> Date: Wed Apr 10 16:24:15 2013 -0700 In the struct smb_Dir destructor, use the fsp back pointer to release resources. Removes one use of dirfd(). Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit ea14c9443178da9ae6ccbe71e573156396f6f699) commit ecdcb622bfaf636f87d13064dcf6c6fade880260 Author: Jeremy Allison <j...@samba.org> Date: Wed Apr 10 16:21:39 2013 -0700 Maintain a back-pointer to the fsp in struct smb_Dir when opening with FDOPENDIR. Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit e89ec641fc98ffd7f7193deb3728b0a284a093eb) commit 2a09b5d2cd04840a733cf06c95bea6f0f7377a45 Author: Volker Lendecke <v...@samba.org> Date: Mon Apr 29 18:40:08 2013 +0200 winbind4: Fix bug 9832 -- talloc use after free Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit c672ef11b1ed663b6366f321d3628acf05b3d0fe) commit 973bbc449837f4c2ce07bc0403267fed83f340a9 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Mar 15 13:00:55 2013 +1100 auth/ntlmssp: Avoid use-after-free of user_info after logon failure at log level 5 Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 1dcd75df4941d7032a66d3fbb86ac76964444a3f) Fix bug #9834 - segfault when loging in with wrong password from w2k8r2. ----------------------------------------------------------------------- Summary of changes: auth/ntlmssp/ntlmssp_server.c | 2 +- source3/lib/system.c | 4 +-- source3/smbd/dir.c | 46 ++++++++++++++++++++-------------------- source3/smbd/filename.c | 9 +++++++- source4/winbind/wb_server.c | 2 +- 5 files changed, 34 insertions(+), 29 deletions(-) Changeset truncated at 500 lines: diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c index d9bea1c..442bd5d 100644 --- a/auth/ntlmssp/ntlmssp_server.c +++ b/auth/ntlmssp/ntlmssp_server.c @@ -449,11 +449,11 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec &gensec_ntlmssp->server_returned_info, user_session_key, lm_session_key); } - talloc_free(user_info); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(5, (__location__ ": Checking NTLMSSP password for %s\\%s failed: %s\n", user_info->client.domain_name, user_info->client.account_name, nt_errstr(nt_status))); } + TALLOC_FREE(user_info); NT_STATUS_NOT_OK_RETURN(nt_status); diff --git a/source3/lib/system.c b/source3/lib/system.c index d69f1c6..8dbf7dc 100644 --- a/source3/lib/system.c +++ b/source3/lib/system.c @@ -634,13 +634,11 @@ void kernel_flock(int fd, uint32 share_mode, uint32 access_mask) /******************************************************************* An fdopendir wrapper. - Ugly hack - we need dirfd for this to work correctly in the - calling code.. JRA. ********************************************************************/ DIR *sys_fdopendir(int fd) { -#if defined(HAVE_FDOPENDIR) && defined(HAVE_DIRFD) +#if defined(HAVE_FDOPENDIR) return fdopendir(fd); #else errno = ENOSYS; diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c index a06fc5f..52bd6a1 100644 --- a/source3/smbd/dir.c +++ b/source3/smbd/dir.c @@ -50,6 +50,8 @@ struct smb_Dir { struct name_cache_entry *name_cache; unsigned int name_cache_index; unsigned int file_number; + files_struct *fsp; /* Back pointer to containing fsp, only + set from OpenDir_fsp(). */ }; struct dptr_struct { @@ -675,18 +677,11 @@ done: void dptr_CloseDir(files_struct *fsp) { if (fsp->dptr) { -/* - * Ugly hack. We have defined fdopendir to return ENOSYS if dirfd also isn't - * present. I hate Solaris. JRA. - */ -#ifdef HAVE_DIRFD - if (fsp->fh->fd != -1 && - fsp->dptr->dir_hnd && - dirfd(fsp->dptr->dir_hnd->dir)) { - /* The call below closes the underlying fd. */ - fsp->fh->fd = -1; - } -#endif + /* + * The destructor for the struct smb_Dir + * (fsp->dptr->dir_hnd) now handles + * all resource deallocation. + */ dptr_close_internal(fsp->dptr); fsp->dptr = NULL; } @@ -1442,18 +1437,21 @@ bool is_visible_file(connection_struct *conn, const char *dir_path, static int smb_Dir_destructor(struct smb_Dir *dirp) { - if (dirp->dir) { -#ifdef HAVE_DIRFD - if (dirp->conn->sconn) { - files_struct *fsp = file_find_fd(dirp->conn->sconn, - dirfd(dirp->dir)); - if (fsp) { - /* The call below closes the underlying fd. */ - fsp->fh->fd = -1; + if (dirp->dir != NULL) { + SMB_VFS_CLOSEDIR(dirp->conn,dirp->dir); + if (dirp->fsp != NULL) { + /* + * The SMB_VFS_CLOSEDIR above + * closes the underlying fd inside + * dirp->fsp. + */ + dirp->fsp->fh->fd = -1; + if (dirp->fsp->dptr != NULL) { + SMB_ASSERT(dirp->fsp->dptr->dir_hnd == dirp); + dirp->fsp->dptr->dir_hnd = NULL; } + dirp->fsp = NULL; } -#endif - SMB_VFS_CLOSEDIR(dirp->conn,dirp->dir); } if (dirp->conn->sconn && !dirp->conn->sconn->using_smb2) { dirp->conn->sconn->searches.dirhandles_open--; @@ -1537,7 +1535,9 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn, if (fsp->is_directory && fsp->fh->fd != -1) { dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr); - if (dirp->dir == NULL) { + if (dirp->dir != NULL) { + dirp->fsp = fsp; + } else { DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned " "NULL (%s)\n", dirp->dir_path, diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c index 0be566f..9b05de3 100644 --- a/source3/smbd/filename.c +++ b/source3/smbd/filename.c @@ -450,13 +450,17 @@ NTSTATUS unix_convert(TALLOC_CTX *ctx, if (errno == ENOENT) { /* Optimization when creating a new file - only - the last component doesn't exist. */ + the last component doesn't exist. + NOTE : check_parent_exists() doesn't preserve errno. + */ + int saved_errno = errno; status = check_parent_exists(ctx, conn, posix_pathnames, smb_fname, &dirpath, &start); + errno = saved_errno; if (!NT_STATUS_IS_OK(status)) { goto fail; } @@ -529,13 +533,16 @@ NTSTATUS unix_convert(TALLOC_CTX *ctx, * Optimization for common case where the wildcard * is in the last component and the client already * sent the correct case. + * NOTE : check_parent_exists() doesn't preserve errno. */ + int saved_errno = errno; status = check_parent_exists(ctx, conn, posix_pathnames, smb_fname, &dirpath, &start); + errno = saved_errno; if (!NT_STATUS_IS_OK(status)) { goto fail; } diff --git a/source4/winbind/wb_server.c b/source4/winbind/wb_server.c index a904470..bd2d361 100644 --- a/source4/winbind/wb_server.c +++ b/source4/winbind/wb_server.c @@ -75,7 +75,7 @@ static void wbsrv_call_loop(struct tevent_req *subreq) if (!NT_STATUS_IS_OK(status)) { const char *reason; - reason = talloc_asprintf(call, "wbsrv_call_loop: " + reason = talloc_asprintf(wbsrv_conn, "wbsrv_call_loop: " "tstream_read_pdu_blob_recv() - %s", nt_errstr(status)); if (!reason) { -- Samba Shared Repository