The branch, master has been updated
via d18c76666f8 smbd: Protect smbd_smb2_getinfo_send() against invalid
quota files
via 7f16ecc5ce3 torture3: Check error code for quotactl on a non-quota
file handle
from 5c918d40bdc libsmb: Use tevent_req_received() in
cli_qfileinfo_recv()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit d18c76666f8c39bd3a91019247a4752faccb81fe
Author: Volker Lendecke <[email protected]>
Date: Fri May 22 14:41:27 2020 +0200
smbd: Protect smbd_smb2_getinfo_send() against invalid quota files
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14367
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Autobuild-User(master): Stefan Metzmacher <[email protected]>
Autobuild-Date(master): Fri May 29 09:55:10 UTC 2020 on sn-devel-184
commit 7f16ecc5ce3fd9a6fd084096d150a7b48fabb985
Author: Volker Lendecke <[email protected]>
Date: Fri May 22 15:24:06 2020 +0200
torture3: Check error code for quotactl on a non-quota file handle
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14367
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
selftest/knownfail.d/quota1 | 2 ++
source3/selftest/tests.py | 1 +
source3/smbd/smb2_getinfo.c | 9 ++++++
source3/torture/proto.h | 1 +
source3/torture/test_smb2.c | 67 +++++++++++++++++++++++++++++++++++++++++++++
source3/torture/torture.c | 4 +++
6 files changed, 84 insertions(+)
create mode 100644 selftest/knownfail.d/quota1
Changeset truncated at 500 lines:
diff --git a/selftest/knownfail.d/quota1 b/selftest/knownfail.d/quota1
new file mode 100644
index 00000000000..a36f3252f8f
--- /dev/null
+++ b/selftest/knownfail.d/quota1
@@ -0,0 +1,2 @@
+# ntvfs returns NT_STATUS_NOT_SUPPORTED
+^samba3.smbtorture_s3.plain.SMB2-QUOTA1.smbtorture\(ad_dc_ntvfs\)
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 6d8a730bb07..fb07610c3f0 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -96,6 +96,7 @@ fileserver_tests = [
"SMB2-SESSION-REAUTH", "SMB2-SESSION-RECONNECT", "SMB2-FTRUNCATE",
"SMB2-ANONYMOUS", "SMB2-DIR-FSYNC",
"SMB2-PATH-SLASH",
+ "SMB2-QUOTA1",
"CLEANUP1",
"CLEANUP2",
"CLEANUP4",
diff --git a/source3/smbd/smb2_getinfo.c b/source3/smbd/smb2_getinfo.c
index 01aedbf8e2e..f4fb7ce0b23 100644
--- a/source3/smbd/smb2_getinfo.c
+++ b/source3/smbd/smb2_getinfo.c
@@ -547,12 +547,21 @@ static struct tevent_req
*smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx,
struct ndr_pull *ndr_pull = NULL;
DATA_BLOB sid_buf = data_blob_null;
TALLOC_CTX *tmp_ctx = talloc_init("geninfo_quota");
+ bool ok;
if (!tmp_ctx) {
tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
return tevent_req_post(req, ev);
}
+ ok = check_fsp_ntquota_handle(conn, smbreq, fsp);
+ if (!ok) {
+ DBG_INFO("no valid QUOTA HANDLE\n");
+ TALLOC_FREE(tmp_ctx);
+ tevent_req_nterror(req, NT_STATUS_INVALID_HANDLE);
+ return tevent_req_post(req, ev);
+ }
+
ndr_pull = ndr_pull_init_blob(&in_input_buffer, tmp_ctx);
if (!ndr_pull) {
TALLOC_FREE(tmp_ctx);
diff --git a/source3/torture/proto.h b/source3/torture/proto.h
index f9c79fd7906..18e686089ed 100644
--- a/source3/torture/proto.h
+++ b/source3/torture/proto.h
@@ -104,6 +104,7 @@ bool run_smb2_ftruncate(int dummy);
bool run_smb2_dir_fsync(int dummy);
bool run_smb2_path_slash(int dummy);
bool run_smb2_sacl(int dummy);
+bool run_smb2_quota1(int dummy);
bool run_chain3(int dummy);
bool run_local_conv_auth_info(int dummy);
bool run_local_sprintf_append(int dummy);
diff --git a/source3/torture/test_smb2.c b/source3/torture/test_smb2.c
index 52f1c397623..0fb40a61dd0 100644
--- a/source3/torture/test_smb2.c
+++ b/source3/torture/test_smb2.c
@@ -2876,3 +2876,70 @@ bool run_smb2_sacl(int dummy)
(void)cli_unlink(cli, fname, 0);
return false;
}
+
+bool run_smb2_quota1(int dummy)
+{
+ struct cli_state *cli = NULL;
+ NTSTATUS status;
+ uint16_t fnum = (uint16_t)-1;
+ SMB_NTQUOTA_STRUCT qt = {0};
+
+ printf("Starting SMB2-SACL\n");
+
+ if (!torture_init_connection(&cli)) {
+ return false;
+ }
+
+ status = smbXcli_negprot(cli->conn,
+ cli->timeout,
+ PROTOCOL_SMB2_02,
+ PROTOCOL_SMB3_11);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("smbXcli_negprot returned %s\n", nt_errstr(status));
+ return false;
+ }
+
+ status = cli_session_setup_creds(cli, torture_creds);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("cli_session_setup returned %s\n", nt_errstr(status));
+ return false;
+ }
+
+ status = cli_tree_connect(cli, share, "?????", NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("cli_tree_connect returned %s\n", nt_errstr(status));
+ return false;
+ }
+
+ status = cli_smb2_create_fnum(
+ cli,
+ "\\",
+ SMB2_OPLOCK_LEVEL_NONE,
+ SMB2_IMPERSONATION_IMPERSONATION,
+ SEC_GENERIC_READ, /* desired access */
+ 0, /* file_attributes, */
+ FILE_SHARE_READ|
+ FILE_SHARE_WRITE|
+ FILE_SHARE_DELETE, /* share_access, */
+ FILE_OPEN, /* create_disposition, */
+ FILE_DIRECTORY_FILE, /* create_options, */
+ NULL, /* in_cblobs. */
+ &fnum, /* fnum */
+ NULL, /* smb_create_returns */
+ NULL, /* mem_ctx */
+ NULL); /* out_cblobs */
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("cli_smb2_create_fnum failed: %s\n", nt_errstr(status));
+ return false;
+ }
+
+ status = cli_smb2_get_user_quota(cli, fnum, &qt);
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
+ printf("cli_smb2_get_user_quota returned %s, expected "
+ "NT_STATUS_INVALID_HANDLE\n",
+ nt_errstr(status));
+ return false;
+ }
+
+ return true;
+}
diff --git a/source3/torture/torture.c b/source3/torture/torture.c
index e183ea2c5ca..997e074c481 100644
--- a/source3/torture/torture.c
+++ b/source3/torture/torture.c
@@ -14720,6 +14720,10 @@ static struct {
.name = "SMB2-SACL",
.fn = run_smb2_sacl,
},
+ {
+ .name = "SMB2-QUOTA1",
+ .fn = run_smb2_quota1,
+ },
{
.name = "CLEANUP1",
.fn = run_cleanup1,
--
Samba Shared Repository
