[SCM] Samba Shared Repository - branch master updated

Fri, 23 Aug 2024 02:28:18 -0700 

The branch, master has been updated
       via  168966a0530 s3:smbd: fix NULL dereference in case of readlink 
failure
      from  b0996ed589a s3:tests: Fix spelling error

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 168966a053045476a84044aa73f66722eb702fe0
Author: Shachar Sharon <ssha...@redhat.com>
Date:   Thu Aug 22 14:44:28 2024 +0300

    s3:smbd: fix NULL dereference in case of readlink failure
    
    When VFS readlinkat hook returns with error the following sequence
    yields NULL-pointer dereference (SIGSEGV):
    
      symlink_target_below_conn (source3/smbd/open.c)
        char *target = NULL;
        ...
        readlink_talloc (source3/smbd/files.c)
          SMB_VFS_READLINKAT
            smb_vfs_call_readlinkat (source3/smbd/vfs.c)
              handle->fns->readlinkat_fn --> returns error
    
      status = safe_symlink_target_path(.., target /* NULL */ ..)
        safe_symlink_target_path (source3/smbd/filename.c)
          if (target[0] == '/') { /* NULL pointer dereference */
    
    A failure in VFS module's readlinkat hook may happen due to run-time
    error (e.g., network failure which cases libcephfs to disconnect from
    MDS).
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=15700
    Signed-off-by: Shachar Sharon <ssha...@redhat.com>
    Reviewed-by: John Mulligan <jmulli...@redhat.com>
    Reviewed-by: Volker Lendecke <v...@samba.org>
    
    Autobuild-User(master): Volker Lendecke <v...@samba.org>
    Autobuild-Date(master): Fri Aug 23 09:27:06 UTC 2024 on atb-devel-224

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/open.c | 4 ++++
 1 file changed, 4 insertions(+)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index a1c1c259e5c..0e36db0a85e 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -582,6 +582,10 @@ static NTSTATUS symlink_target_below_conn(
                        talloc_tos(), dirfsp, symlink_name, &target);
        }
 
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
        status = safe_symlink_target_path(talloc_tos(),
                                          connection_path,
                                          dirfsp->fsp_name->base_name,


-- 
Samba Shared Repository

Reply via email to