The branch, master has been updated
via 20df26b9081 s3: smbd: Sanitize any "server" and "share" components
of SMB1 DFS paths to remove UNIX separators.
via 2aa9ffa2f0f s3: torture: Add test to show an SMB1 DFS path of
"\x//\/" crashes smbd.
from c2e83ebe726 mdssvc: fix returning file modification date for older
Mac releases
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 20df26b908182f0455f301a51aeb54b6044af580
Author: Jeremy Allison <j...@samba.org>
Date: Wed Jul 26 16:39:51 2023 -0700
s3: smbd: Sanitize any "server" and "share" components of SMB1 DFS paths to
remove UNIX separators.
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15419
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
Autobuild-User(master): Ralph Böhme <s...@samba.org>
Autobuild-Date(master): Thu Jul 27 10:52:50 UTC 2023 on atb-devel-224
commit 2aa9ffa2f0fc79599efbfe0c37aac4ef5160f712
Author: Jeremy Allison <j...@samba.org>
Date: Wed Jul 26 16:37:11 2023 -0700
s3: torture: Add test to show an SMB1 DFS path of "\\x//\\/" crashes smbd.
Adds knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15419
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/selftest/tests.py | 14 +++++++++++
source3/smbd/smb2_reply.c | 31 +++++++++++++++++++++++
source3/torture/proto.h | 1 +
source3/torture/test_smb1_dfs.c | 56 +++++++++++++++++++++++++++++++++++++++++
source3/torture/torture.c | 4 +++
5 files changed, 106 insertions(+)
Changeset truncated at 500 lines:
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index d2b5409d0a9..a10969adbb4 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -357,6 +357,20 @@
plantestsuite("samba3.smbtorture_s3.smb1.SMB1-DFS-OPERATIONS",
'$PASSWORD',
smbtorture3,
"-mNT1"])
+#
+# SMB1-DFS-BADPATH needs to run against a special share msdfs-pathname-share
+# BUG: https://bugzilla.samba.org/show_bug.cgi?id=15419
+#
+plantestsuite("samba3.smbtorture_s3.smb1.SMB1-DFS-BADPATH",
+ "fileserver_smb1",
+ [os.path.join(samba3srcdir,
+ "script/tests/test_smbtorture_s3.sh"),
+ 'SMB1-DFS-BADPATH',
+ '//$SERVER_IP/msdfs-pathname-share',
+ '$USERNAME',
+ '$PASSWORD',
+ smbtorture3,
+ "-mNT1"])
#
# SMB2-STREAM-ACL needs to run against a special share - vfs_wo_fruit
diff --git a/source3/smbd/smb2_reply.c b/source3/smbd/smb2_reply.c
index 9113878fa8c..66b735e0b75 100644
--- a/source3/smbd/smb2_reply.c
+++ b/source3/smbd/smb2_reply.c
@@ -324,6 +324,7 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
char *share = NULL;
char *remaining_path = NULL;
char path_sep = 0;
+ char *p = NULL;
if (posix_pathnames && (dst[0] == '/')) {
path_sep = dst[0];
@@ -374,6 +375,16 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
if (share == NULL) {
goto local_path;
}
+ /*
+ * Ensure the server name does not contain
+ * any possible path components by converting
+ * them to _'s.
+ */
+ for (p = server + 1; p < share; p++) {
+ if (*p == '/' || *p == '\\') {
+ *p = '_';
+ }
+ }
/*
* It's a well formed DFS path with
* at least server and share components.
@@ -388,6 +399,16 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
*/
remaining_path = strchr(share+1, path_sep);
if (remaining_path == NULL) {
+ /*
+ * Ensure the share name does not contain
+ * any possible path components by converting
+ * them to _'s.
+ */
+ for (p = share + 1; *p; p++) {
+ if (*p == '/' || *p == '\\') {
+ *p = '_';
+ }
+ }
/*
* If no remaining path this was
* a bare /server/share path. Just return.
@@ -395,6 +416,16 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
*err = NT_STATUS_OK;
return ret;
}
+ /*
+ * Ensure the share name does not contain
+ * any possible path components by converting
+ * them to _'s.
+ */
+ for (p = share + 1; p < remaining_path; p++) {
+ if (*p == '/' || *p == '\\') {
+ *p = '_';
+ }
+ }
*remaining_path = '/';
dst = remaining_path + 1;
/* dst now points at any following components. */
diff --git a/source3/torture/proto.h b/source3/torture/proto.h
index a67a771ef45..93d0727e936 100644
--- a/source3/torture/proto.h
+++ b/source3/torture/proto.h
@@ -127,6 +127,7 @@ bool run_smb2_dfs_filename_leading_backslash(int dummy);
bool run_smb1_dfs_paths(int dummy);
bool run_smb1_dfs_search_paths(int dummy);
bool run_smb1_dfs_operations(int dummy);
+bool run_smb1_dfs_check_badpath(int dummy);
bool run_list_dir_async_test(int dummy);
bool run_delete_on_close_non_empty(int dummy);
bool run_delete_on_close_nonwrite_delete_yes_test(int dummy);
diff --git a/source3/torture/test_smb1_dfs.c b/source3/torture/test_smb1_dfs.c
index c14d207c82a..6d55de9912f 100644
--- a/source3/torture/test_smb1_dfs.c
+++ b/source3/torture/test_smb1_dfs.c
@@ -3810,6 +3810,26 @@ static bool test_smb1_chkpath(struct cli_state *cli)
return retval;
}
+/*
+ * Test BUG: https://bugzilla.samba.org/show_bug.cgi?id=15419
+ */
+
+static bool test_smb1_chkpath_bad(struct cli_state *cli)
+{
+ NTSTATUS status;
+
+ status = smb1_chkpath(cli, "\\x//\\/");
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("%s:%d SMB1chkpath of %s failed (%s)\n",
+ __FILE__,
+ __LINE__,
+ "\\x//\\/",
+ nt_errstr(status));
+ return false;
+ }
+ return true;
+}
+
static NTSTATUS smb1_ctemp(struct cli_state *cli,
const char *path,
char **tmp_path)
@@ -4226,3 +4246,39 @@ bool run_smb1_dfs_operations(int dummy)
(void)smb1_dfs_delete(cli, "\\BAD\\BAD\\file");
return retval;
}
+
+/*
+ * Test BUG: https://bugzilla.samba.org/show_bug.cgi?id=15419
+ */
+
+bool run_smb1_dfs_check_badpath(int dummy)
+{
+ struct cli_state *cli = NULL;
+ bool dfs_supported = false;
+
+ printf("Starting SMB1-DFS-CHECK-BADPATH\n");
+
+ if (!torture_init_connection(&cli)) {
+ return false;
+ }
+
+ if (!torture_open_connection(&cli, 0)) {
+ return false;
+ }
+
+ /* Ensure this is a DFS share. */
+ dfs_supported = smbXcli_conn_dfs_supported(cli->conn);
+ if (!dfs_supported) {
+ printf("Server %s does not support DFS\n",
+ smbXcli_conn_remote_name(cli->conn));
+ return false;
+ }
+ dfs_supported = smbXcli_tcon_is_dfs_share(cli->smb1.tcon);
+ if (!dfs_supported) {
+ printf("Share %s does not support DFS\n",
+ cli->share);
+ return false;
+ }
+
+ return test_smb1_chkpath_bad(cli);
+}
diff --git a/source3/torture/torture.c b/source3/torture/torture.c
index 013879eefeb..ab992665323 100644
--- a/source3/torture/torture.c
+++ b/source3/torture/torture.c
@@ -15385,6 +15385,10 @@ static struct {
.name = "SMB1-DFS-OPERATIONS",
.fn = run_smb1_dfs_operations,
},
+ {
+ .name = "SMB1-DFS-BADPATH",
+ .fn = run_smb1_dfs_check_badpath,
+ },
{
.name = "CLEANUP1",
.fn = run_cleanup1,
--
Samba Shared Repository
