The branch, master has been updated
via 8a427783e5e smbd: fix pathref unlinking in create_file_unixpath()
from 7645aca4d05 lib:cmdline: Use getprogname() to avoid possible issues
with setproctitle()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 8a427783e5e780d3ffbe4f9710ac4a17c483ca33
Author: Jeremy Allison <j...@samba.org>
Date: Tue Jun 8 18:53:18 2021 +0200
smbd: fix pathref unlinking in create_file_unixpath()
This is really subtle. If someone passes in an smb_fname where smb_fname
actually is taken from fsp->fsp_name, then the lifetime of these objects is
meant to be the same.
This is commonly the case from an SMB1 path-based call
(eg call_trans2qfilepathinfo()) where we use the pathref fsp
(smb_fname->fsp) as the handle. In this case we must not unlink
smb_fname->fsp
from it's owner.
The asserts below:
SMB_ASSERT(fsp->fsp_name->fsp != NULL);
SMB_ASSERT(fsp->fsp_name->fsp == fsp);
ensure the required invarients are met.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14732
Pair-Programmed-With: Ralph Boehme <s...@samba.org>
Signed-off-by: Jeremy Allison <j...@samba.org>
Signed-off-by: Ralph Boehme <s...@samba.org>
Autobuild-User(master): Ralph Böhme <s...@samba.org>
Autobuild-Date(master): Tue Jun 8 20:44:41 UTC 2021 on sn-devel-184
-----------------------------------------------------------------------
Summary of changes:
source3/smbd/open.c | 37 +++++++++++++++++++++++++++++++++----
1 file changed, 33 insertions(+), 4 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 9f7a64cdeba..b438b287a08 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -5835,13 +5835,39 @@ static NTSTATUS create_file_unixpath(connection_struct
*conn,
* request to create a file that doesn't exist.
*/
if (smb_fname->fsp != NULL) {
- fsp = smb_fname->fsp;
+ bool need_fsp_unlink = true;
/*
- * Unlink the fsp from the smb_fname so the fsp is not
- * autoclosed by the smb_fname pathref fsp talloc destructor.
+ * This is really subtle. If someone passes in an smb_fname
+ * where smb_fname actually is taken from fsp->fsp_name, then
+ * the lifetime of these objects is meant to be the same.
+ *
+ * This is commonly the case from an SMB1 path-based call,
+ * (call_trans2qfilepathinfo) where we use the pathref fsp
+ * (smb_fname->fsp) as the handle. In this case we must not
+ * unlink smb_fname->fsp from it's owner.
+ *
+ * The asserts below:
+ *
+ * SMB_ASSERT(fsp->fsp_name->fsp != NULL);
+ * SMB_ASSERT(fsp->fsp_name->fsp == fsp);
+ *
+ * ensure the required invarients are met.
*/
- smb_fname_fsp_unlink(smb_fname);
+ if (smb_fname->fsp->fsp_name == smb_fname) {
+ need_fsp_unlink = false;
+ }
+
+ fsp = smb_fname->fsp;
+
+ if (need_fsp_unlink) {
+ /*
+ * Unlink the fsp from the smb_fname so the fsp is not
+ * autoclosed by the smb_fname pathref fsp talloc
+ * destructor.
+ */
+ smb_fname_fsp_unlink(smb_fname);
+ }
status = fsp_bind_smb(fsp, req);
if (!NT_STATUS_IS_OK(status)) {
@@ -5871,6 +5897,9 @@ static NTSTATUS create_file_unixpath(connection_struct
*conn,
}
}
+ SMB_ASSERT(fsp->fsp_name->fsp != NULL);
+ SMB_ASSERT(fsp->fsp_name->fsp == fsp);
+
if (base_fsp) {
/*
* We're opening the stream element of a
--
Samba Shared Repository
