The branch, master has been updated
       via  20df26b9081 s3: smbd: Sanitize any "server" and "share" components 
of SMB1 DFS paths to remove UNIX separators.
       via  2aa9ffa2f0f s3: torture: Add test to show an SMB1 DFS path of 
"\x//\/" crashes smbd.
      from  c2e83ebe726 mdssvc: fix returning file modification date for older 
Mac releases

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 20df26b908182f0455f301a51aeb54b6044af580
Author: Jeremy Allison <j...@samba.org>
Date:   Wed Jul 26 16:39:51 2023 -0700

    s3: smbd: Sanitize any "server" and "share" components of SMB1 DFS paths to 
remove UNIX separators.
    
    Remove knownfail.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15419
    
    Signed-off-by: Jeremy Allison <j...@samba.org>
    Reviewed-by: Ralph Boehme <s...@samba.org>
    
    Autobuild-User(master): Ralph Böhme <s...@samba.org>
    Autobuild-Date(master): Thu Jul 27 10:52:50 UTC 2023 on atb-devel-224

commit 2aa9ffa2f0fc79599efbfe0c37aac4ef5160f712
Author: Jeremy Allison <j...@samba.org>
Date:   Wed Jul 26 16:37:11 2023 -0700

    s3: torture: Add test to show an SMB1 DFS path of "\\x//\\/" crashes smbd.
    
    Adds knownfail.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15419
    
    Signed-off-by: Jeremy Allison <j...@samba.org>
    Reviewed-by: Ralph Boehme <s...@samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source3/selftest/tests.py       | 14 +++++++++++
 source3/smbd/smb2_reply.c       | 31 +++++++++++++++++++++++
 source3/torture/proto.h         |  1 +
 source3/torture/test_smb1_dfs.c | 56 +++++++++++++++++++++++++++++++++++++++++
 source3/torture/torture.c       |  4 +++
 5 files changed, 106 insertions(+)


Changeset truncated at 500 lines:

diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index d2b5409d0a9..a10969adbb4 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -357,6 +357,20 @@ 
plantestsuite("samba3.smbtorture_s3.smb1.SMB1-DFS-OPERATIONS",
                 '$PASSWORD',
                 smbtorture3,
                 "-mNT1"])
+#
+# SMB1-DFS-BADPATH needs to run against a special share msdfs-pathname-share
+# BUG: https://bugzilla.samba.org/show_bug.cgi?id=15419
+#
+plantestsuite("samba3.smbtorture_s3.smb1.SMB1-DFS-BADPATH",
+                "fileserver_smb1",
+                [os.path.join(samba3srcdir,
+                              "script/tests/test_smbtorture_s3.sh"),
+                'SMB1-DFS-BADPATH',
+                '//$SERVER_IP/msdfs-pathname-share',
+                '$USERNAME',
+                '$PASSWORD',
+                smbtorture3,
+                "-mNT1"])
 
 #
 # SMB2-STREAM-ACL needs to run against a special share - vfs_wo_fruit
diff --git a/source3/smbd/smb2_reply.c b/source3/smbd/smb2_reply.c
index 9113878fa8c..66b735e0b75 100644
--- a/source3/smbd/smb2_reply.c
+++ b/source3/smbd/smb2_reply.c
@@ -324,6 +324,7 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
                char *share = NULL;
                char *remaining_path = NULL;
                char path_sep = 0;
+               char *p = NULL;
 
                if (posix_pathnames && (dst[0] == '/')) {
                        path_sep = dst[0];
@@ -374,6 +375,16 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
                if (share == NULL) {
                        goto local_path;
                }
+               /*
+                * Ensure the server name does not contain
+                * any possible path components by converting
+                * them to _'s.
+                */
+               for (p = server + 1; p < share; p++) {
+                       if (*p == '/' || *p == '\\') {
+                               *p = '_';
+                       }
+               }
                /*
                 * It's a well formed DFS path with
                 * at least server and share components.
@@ -388,6 +399,16 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
                 */
                remaining_path = strchr(share+1, path_sep);
                if (remaining_path == NULL) {
+                       /*
+                        * Ensure the share name does not contain
+                        * any possible path components by converting
+                        * them to _'s.
+                        */
+                       for (p = share + 1; *p; p++) {
+                               if (*p == '/' || *p == '\\') {
+                                       *p = '_';
+                               }
+                       }
                        /*
                         * If no remaining path this was
                         * a bare /server/share path. Just return.
@@ -395,6 +416,16 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
                        *err = NT_STATUS_OK;
                        return ret;
                }
+               /*
+                * Ensure the share name does not contain
+                * any possible path components by converting
+                * them to _'s.
+                */
+               for (p = share + 1; p < remaining_path; p++) {
+                       if (*p == '/' || *p == '\\') {
+                               *p = '_';
+                       }
+               }
                *remaining_path = '/';
                dst = remaining_path + 1;
                /* dst now points at any following components. */
diff --git a/source3/torture/proto.h b/source3/torture/proto.h
index a67a771ef45..93d0727e936 100644
--- a/source3/torture/proto.h
+++ b/source3/torture/proto.h
@@ -127,6 +127,7 @@ bool run_smb2_dfs_filename_leading_backslash(int dummy);
 bool run_smb1_dfs_paths(int dummy);
 bool run_smb1_dfs_search_paths(int dummy);
 bool run_smb1_dfs_operations(int dummy);
+bool run_smb1_dfs_check_badpath(int dummy);
 bool run_list_dir_async_test(int dummy);
 bool run_delete_on_close_non_empty(int dummy);
 bool run_delete_on_close_nonwrite_delete_yes_test(int dummy);
diff --git a/source3/torture/test_smb1_dfs.c b/source3/torture/test_smb1_dfs.c
index c14d207c82a..6d55de9912f 100644
--- a/source3/torture/test_smb1_dfs.c
+++ b/source3/torture/test_smb1_dfs.c
@@ -3810,6 +3810,26 @@ static bool test_smb1_chkpath(struct cli_state *cli)
        return retval;
 }
 
+/*
+ * Test BUG: https://bugzilla.samba.org/show_bug.cgi?id=15419
+ */
+
+static bool test_smb1_chkpath_bad(struct cli_state *cli)
+{
+       NTSTATUS status;
+
+       status = smb1_chkpath(cli, "\\x//\\/");
+       if (!NT_STATUS_IS_OK(status)) {
+               printf("%s:%d SMB1chkpath of %s failed (%s)\n",
+                       __FILE__,
+                       __LINE__,
+                       "\\x//\\/",
+                       nt_errstr(status));
+               return false;
+       }
+       return true;
+}
+
 static NTSTATUS smb1_ctemp(struct cli_state *cli,
                           const char *path,
                           char **tmp_path)
@@ -4226,3 +4246,39 @@ bool run_smb1_dfs_operations(int dummy)
        (void)smb1_dfs_delete(cli, "\\BAD\\BAD\\file");
        return retval;
 }
+
+/*
+ * Test BUG: https://bugzilla.samba.org/show_bug.cgi?id=15419
+ */
+
+bool run_smb1_dfs_check_badpath(int dummy)
+{
+       struct cli_state *cli = NULL;
+       bool dfs_supported = false;
+
+       printf("Starting SMB1-DFS-CHECK-BADPATH\n");
+
+       if (!torture_init_connection(&cli)) {
+               return false;
+       }
+
+       if (!torture_open_connection(&cli, 0)) {
+               return false;
+       }
+
+       /* Ensure this is a DFS share. */
+       dfs_supported = smbXcli_conn_dfs_supported(cli->conn);
+       if (!dfs_supported) {
+               printf("Server %s does not support DFS\n",
+                       smbXcli_conn_remote_name(cli->conn));
+               return false;
+       }
+       dfs_supported = smbXcli_tcon_is_dfs_share(cli->smb1.tcon);
+       if (!dfs_supported) {
+               printf("Share %s does not support DFS\n",
+                       cli->share);
+               return false;
+       }
+
+       return test_smb1_chkpath_bad(cli);
+}
diff --git a/source3/torture/torture.c b/source3/torture/torture.c
index 013879eefeb..ab992665323 100644
--- a/source3/torture/torture.c
+++ b/source3/torture/torture.c
@@ -15385,6 +15385,10 @@ static struct {
                .name  = "SMB1-DFS-OPERATIONS",
                .fn    = run_smb1_dfs_operations,
        },
+       {
+               .name  = "SMB1-DFS-BADPATH",
+               .fn    = run_smb1_dfs_check_badpath,
+       },
        {
                .name  = "CLEANUP1",
                .fn    = run_cleanup1,


-- 
Samba Shared Repository

Reply via email to