The branch, v4-23-test has been updated
via 15875ce6f0c smbd: Fix CID 1665417, UNUSED_VALUE in
openat_pathref_fsp_dot()
via ecbfd23640b smbd: Fix Bug 15897
via 0d94edcb98b smbd: Add openat_pathref_fsp_dot()
from 9d5de961df0 VERSION: Bump version up to Samba 4.23.4...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-23-test
- Log -----------------------------------------------------------------
commit 15875ce6f0ce377e1d111a8a0c6d3eace246e315
Author: Anoop C S <[email protected]>
Date: Thu Sep 11 11:41:25 2025 +0530
smbd: Fix CID 1665417, UNUSED_VALUE in openat_pathref_fsp_dot()
Rearrange how the open flags are defined so as to make Coverity happy
about it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15897
Signed-off-by: Anoop C S <[email protected]>
Reviewed-by: Volker Lendecke <[email protected]>
Autobuild-User(master): Anoop C S <[email protected]>
Autobuild-Date(master): Mon Sep 15 15:44:38 UTC 2025 on atb-devel-224
(cherry picked from commit 1ec54347acac241f900b52c16c2dcba04164e898)
Autobuild-User(v4-23-test): Jule Anger <[email protected]>
Autobuild-Date(v4-23-test): Fri Nov 14 08:58:01 UTC 2025 on atb-devel-224
commit ecbfd23640bbb56306362b6fac0b511961220cce
Author: Volker Lendecke <[email protected]>
Date: Sun Sep 7 21:57:27 2025 +0200
smbd: Fix Bug 15897
Don't leak smb_dirname->fsp->fh->fd == -1 coming from
openat_pathref_fsp_lcomp().
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15897
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Anoop C S <[email protected]>
Autobuild-User(master): Volker Lendecke <[email protected]>
Autobuild-Date(master): Wed Sep 10 09:37:33 UTC 2025 on atb-devel-224
(cherry picked from commit 7143caeecc856d3326fdc3eb466ef1f37bc564b5)
commit 0d94edcb98b4c04e8a56be3ca1fd60f0f89fa505
Author: Volker Lendecke <[email protected]>
Date: Sun Sep 7 21:56:30 2025 +0200
smbd: Add openat_pathref_fsp_dot()
Very simple reopen of a directory as pathref. Too much magic in
openat_pathref_fsp_lcomp() leads to Bug 15897:
openat_pathref_fsp_lcomp() can return NT_STATUS_OK but still leave the
file descriptor at -1 for msdfs and smb1 posix reasons. When using it
in filename_convert_dirfsp_nosymlink() this bites us, the -1 can leak
into vfswrap_openat(). Avoid any magic by directly calling
SMB_VFS_OPENAT() with maximum NOFOLLOW/etc safety for this use case
and fail when this does not work.
This adds another flavor of openat_pathref_fsp, and at some point we
need to consolidate them again.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15897
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Anoop C S <[email protected]>
(cherry picked from commit 83ece80ecc2baa52a3caa0ee3b0f954b005b2268)
-----------------------------------------------------------------------
Summary of changes:
source3/smbd/filename.c | 16 ++-----
source3/smbd/files.c | 108 ++++++++++++++++++++++++++++++++++++++++++++++++
source3/smbd/proto.h | 4 ++
3 files changed, 115 insertions(+), 13 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
index 6a9d5f99d2a..ec2f65553b6 100644
--- a/source3/smbd/filename.c
+++ b/source3/smbd/filename.c
@@ -767,19 +767,9 @@ filename_convert_dirfsp_nosymlink(TALLOC_CTX *mem_ctx,
}
if (dirname[0] == '\0') {
- smb_dirname = synthetic_smb_fname(
- mem_ctx,
- ".",
- NULL,
- NULL,
- 0,
- posix ? SMB_FILENAME_POSIX_PATH : 0);
- if (smb_dirname == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- status = openat_pathref_fsp_lcomp(basedir,
- smb_dirname,
- UCF_POSIX_PATHNAMES);
+ status = openat_pathref_fsp_dot(
+ mem_ctx, basedir,
+ posix ? SMB_FILENAME_POSIX_PATH : 0, &smb_dirname);
} else {
status = normalize_filename_case(conn, dirname, ucf_flags);
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/smbd/files.c b/source3/smbd/files.c
index 4cc203d8a1a..334810e45f9 100644
--- a/source3/smbd/files.c
+++ b/source3/smbd/files.c
@@ -1664,6 +1664,114 @@ NTSTATUS openat_pathref_fsp_lcomp(struct files_struct
*dirfsp,
return NT_STATUS_OK;
}
+NTSTATUS openat_pathref_fsp_dot(TALLOC_CTX *mem_ctx,
+ struct files_struct *dirfsp,
+ uint32_t flags,
+ struct smb_filename **_dot)
+{
+ struct connection_struct *conn = dirfsp->conn;
+ struct files_struct *fsp = NULL;
+ struct smb_filename *full_fname = NULL;
+ struct vfs_open_how how = { .flags = O_NOFOLLOW, };
+ struct smb_filename *dot = NULL;
+ NTSTATUS status;
+ int fd;
+
+#ifdef O_DIRECTORY
+ how.flags |= O_DIRECTORY;
+#endif
+
+#ifdef O_PATH
+ how.flags |= O_PATH;
+#else
+ how.flags |= (O_RDONLY | O_NONBLOCK);
+#endif
+
+ dot = synthetic_smb_fname(mem_ctx, ".", NULL, NULL, 0, flags);
+ if (dot == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = fsp_new(conn, conn, &fsp);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_DEBUG("fsp_new() failed: %s\n", nt_errstr(status));
+ return status;
+ }
+
+ GetTimeOfDay(&fsp->open_time);
+ fsp_set_gen_id(fsp);
+ ZERO_STRUCT(conn->sconn->fsp_fi_cache);
+
+ fsp->fsp_flags.is_pathref = true;
+
+ full_fname = full_path_from_dirfsp_atname(conn, dirfsp, dot);
+ if (full_fname == NULL) {
+ DBG_DEBUG("full_path_from_dirfsp_atname(%s/%s) failed\n",
+ dirfsp->fsp_name->base_name,
+ dot->base_name);
+ file_free(NULL, fsp);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = fsp_attach_smb_fname(fsp, &full_fname);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_DEBUG("fsp_attach_smb_fname(fsp, %s) failed: %s\n",
+ smb_fname_str_dbg(full_fname),
+ nt_errstr(status));
+ file_free(NULL, fsp);
+ return status;
+ }
+
+ fd = SMB_VFS_OPENAT(conn, dirfsp, dot, fsp, &how);
+ if (fd == -1) {
+ status = map_nt_error_from_unix(errno);
+ DBG_DEBUG("smb_vfs_openat(%s/%s) failed: %s\n",
+ dirfsp->fsp_name->base_name,
+ dot->base_name,
+ strerror(errno));
+ file_free(NULL, fsp);
+ return status;
+ }
+
+ fsp_set_fd(fsp, fd);
+
+ status = vfs_stat_fsp(fsp);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_DEBUG("vfs_stat_fsp(\"/\") failed: %s\n",
+ nt_errstr(status));
+ fd_close(fsp);
+ file_free(NULL, fsp);
+ return status;
+ }
+
+ fsp->fsp_flags.is_directory = S_ISDIR(fsp->fsp_name->st.st_ex_mode);
+ fsp->fsp_flags.posix_open =
+ ((dot->flags & SMB_FILENAME_POSIX_PATH) != 0);
+ fsp->file_id = vfs_file_id_from_sbuf(conn, &fsp->fsp_name->st);
+
+ dot->st = fsp->fsp_name->st;
+
+ status = fsp_smb_fname_link(fsp,
+ &dot->fsp_link,
+ &dot->fsp);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_DEBUG("fsp_smb_fname_link() failed: %s\n",
+ nt_errstr(status));
+ fd_close(fsp);
+ file_free(NULL, fsp);
+ return status;
+ }
+
+ DBG_DEBUG("fsp [%s]: OK, fd=%d\n", fsp_str_dbg(fsp), fd);
+
+ talloc_set_destructor(dot, smb_fname_fsp_destructor);
+
+ *_dot = dot;
+
+ return NT_STATUS_OK;
+}
+
void smb_fname_fsp_unlink(struct smb_filename *smb_fname)
{
talloc_set_destructor(smb_fname, NULL);
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index 08506dec743..3b67efcbe23 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -401,6 +401,10 @@ NTSTATUS openat_pathref_fsp_nosymlink(
NTSTATUS openat_pathref_fsp_lcomp(struct files_struct *dirfsp,
struct smb_filename *smb_fname_rel,
uint32_t ucf_flags);
+NTSTATUS openat_pathref_fsp_dot(TALLOC_CTX *mem_ctx,
+ struct files_struct *dirfsp,
+ uint32_t flags,
+ struct smb_filename **_dot);
NTSTATUS readlink_talloc(
TALLOC_CTX *mem_ctx,
struct files_struct *dirfsp,
--
Samba Shared Repository
