[SCM] Samba Shared Repository - branch v4-17-test updated

Thu, 05 Jan 2023 02:02:17 -0800 

The branch, v4-17-test has been updated
       via  33a5ca2f999 s3: smbd: Strip any leading '\' characters if the SMB2 
DFS flag is set.
      from  bc05daafbc6 s3:client: Fix a use-after-free issue in smbclient

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-test


- Log -----------------------------------------------------------------
commit 33a5ca2f999509373d502bb3617df44c519e243a
Author: Jeremy Allison <j...@samba.org>
Date:   Tue Jan 3 18:28:54 2023 -0800

    s3: smbd: Strip any leading '\\' characters if the SMB2 DFS flag is set.
    
    MacOS clients send SMB2 DFS pathnames as \server\share\file\name.
    
    Ensure smbd can cope with this by stipping any leading '\\'
    characters from an SMB2 packet with the DFS flag set.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15277
    
    NB. The test for this is not back-ported to
    4.17 as there are too many changes in the
    test infrastructure and supporting client
    libraries between 4.17 and master.
    
    Back-ported from c9a6e242d15ee707a2e30f973fd37e80b3225aca.
    
    Signed-off-by: Jeremy Allison <j...@samba.org>
    Reviewed-by: Volker Lendecke <v...@samba.org>
    
    Autobuild-User(v4-17-test): Jule Anger <jan...@samba.org>
    Autobuild-Date(v4-17-test): Thu Jan  5 10:01:54 UTC 2023 on sn-devel-184

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/smb2_create.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/smb2_create.c b/source3/smbd/smb2_create.c
index 75b9c7d28ff..cee67eab2d1 100644
--- a/source3/smbd/smb2_create.c
+++ b/source3/smbd/smb2_create.c
@@ -771,6 +771,17 @@ static struct tevent_req *smbd_smb2_create_send(TALLOC_CTX 
*mem_ctx,
 
        in_file_attributes &= ~FILE_FLAG_POSIX_SEMANTICS;
 
+       is_dfs = (smb1req->flags2 & FLAGS2_DFS_PATHNAMES);
+       if (is_dfs) {
+               /*
+                * With a DFS flag set, remove any leading '\\'
+                * characters from in_name before further processing.
+                */
+               while (in_name[0] == '\\') {
+                       in_name++;
+               }
+       }
+
        state->fname = talloc_strdup(state, in_name);
        if (tevent_req_nomem(state->fname, req)) {
                return tevent_req_post(req, state->ev);
@@ -961,8 +972,6 @@ static struct tevent_req *smbd_smb2_create_send(TALLOC_CTX 
*mem_ctx,
                state->lease_ptr = NULL;
        }
 
-       is_dfs = (smb1req->flags2 & FLAGS2_DFS_PATHNAMES);
-
        /* convert '\\' into '/' */
        status = check_path_syntax_smb2(state->fname, is_dfs);
        if (!NT_STATUS_IS_OK(status)) {


-- 
Samba Shared Repository

Reply via email to