The branch, v4-0-test has been updated
via ed22de6 check_parent_exists() can change errno. Ensure we preserve
it across calls.
via a752308 Fix bug #9822 - Samba crashing during Win8 sync.
via e83dc71 Remove dependency on detection of HAVE_DIRFD for use of
fdopendir().
via 93d866e Remove the "Ugly hack" that was the second use of dirfd().
via 44d4728 In the struct smb_Dir destructor, use the fsp back pointer
to release resources.
via ecdcb62 Maintain a back-pointer to the fsp in struct smb_Dir when
opening with FDOPENDIR.
via 2a09b5d winbind4: Fix bug 9832 -- talloc use after free
via 973bbc4 auth/ntlmssp: Avoid use-after-free of user_info after logon
failure at log level 5
from ae3aa28 BUG 9817: Fix 'map untrusted to domain' with NTLMv2.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test
- Log -----------------------------------------------------------------
commit ed22de6479971421b8e32188bfea4521a5f1c0cc
Author: Anand Avati <av...@redhat.com>
Date: Mon Apr 29 15:21:00 2013 -0700
check_parent_exists() can change errno. Ensure we preserve it across calls.
Reviewed-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Volker Lendecke <v...@samba.org>
Autobuild-User(master): Volker Lendecke <v...@samba.org>
Autobuild-Date(master): Tue Apr 30 11:00:11 CEST 2013 on sn-devel-104
(cherry picked from commit 7e807934e6550308efed814a20ce6d6dabbad557)
Fix bug #9833 - Function called in unix_convert() path can overwrite errno.
Autobuild-User(v4-0-test): Karolin Seeger <ksee...@samba.org>
Autobuild-Date(v4-0-test): Tue May 7 10:32:43 CEST 2013 on sn-devel-104
commit a752308b89677d571300487858ba2509fe37ee6d
Author: Jeremy Allison <j...@samba.org>
Date: Fri Apr 26 10:47:41 2013 -0700
Fix bug #9822 - Samba crashing during Win8 sync.
When refactoring the dptr desctructor in the
fix for bug:
9778 (Samba directory code uses dirfd() without vectoring through a VFS
call)
I removed the code to NULL out the struct smb_Dir *
pointer inside the fsp struct by mistake.
Re-add the NULLing out of that pointer when
closing a directory pointer associated with
an open file.
Reporter confirms it fixes the crash.
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: David Disseldorp <dd...@samba.org>
Autobuild-User(master): David Disseldorp <dd...@samba.org>
Autobuild-Date(master): Sat Apr 27 20:44:55 CEST 2013 on sn-devel-104
(cherry picked from commit 251767cde9a146d8122d76e257ab232c05ad452a)
commit e83dc714d5f773d8c9c08aa9bedc3f31cea7a137
Author: Jeremy Allison <j...@samba.org>
Date: Wed Apr 10 16:30:10 2013 -0700
Remove dependency on detection of HAVE_DIRFD for use of fdopendir().
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org>
Autobuild-Date(master): Fri Apr 12 16:21:10 CEST 2013 on sn-devel-104
(cherry picked from commit 7a4dd845958f1411daa8031ca242987001ab2f26)
commit 93d866e0dc5b968b442b24d7f00e304b4056a928
Author: Jeremy Allison <j...@samba.org>
Date: Wed Apr 10 16:29:03 2013 -0700
Remove the "Ugly hack" that was the second use of dirfd().
The destructor does all the resource deallocation needed.
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
(cherry picked from commit 0fe894fb89f4867e266bb04670a58101311e0234)
commit 44d47283133f1564b736540dc724473d2bd08416
Author: Jeremy Allison <j...@samba.org>
Date: Wed Apr 10 16:24:15 2013 -0700
In the struct smb_Dir destructor, use the fsp back pointer to release
resources.
Removes one use of dirfd().
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
(cherry picked from commit ea14c9443178da9ae6ccbe71e573156396f6f699)
commit ecdcb622bfaf636f87d13064dcf6c6fade880260
Author: Jeremy Allison <j...@samba.org>
Date: Wed Apr 10 16:21:39 2013 -0700
Maintain a back-pointer to the fsp in struct smb_Dir when opening with
FDOPENDIR.
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
(cherry picked from commit e89ec641fc98ffd7f7193deb3728b0a284a093eb)
commit 2a09b5d2cd04840a733cf06c95bea6f0f7377a45
Author: Volker Lendecke <v...@samba.org>
Date: Mon Apr 29 18:40:08 2013 +0200
winbind4: Fix bug 9832 -- talloc use after free
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
(cherry picked from commit c672ef11b1ed663b6366f321d3628acf05b3d0fe)
commit 973bbc449837f4c2ce07bc0403267fed83f340a9
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Mar 15 13:00:55 2013 +1100
auth/ntlmssp: Avoid use-after-free of user_info after logon failure at log
level 5
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit 1dcd75df4941d7032a66d3fbb86ac76964444a3f)
Fix bug #9834 - segfault when loging in with wrong password from w2k8r2.
-----------------------------------------------------------------------
Summary of changes:
auth/ntlmssp/ntlmssp_server.c | 2 +-
source3/lib/system.c | 4 +--
source3/smbd/dir.c | 46 ++++++++++++++++++++--------------------
source3/smbd/filename.c | 9 +++++++-
source4/winbind/wb_server.c | 2 +-
5 files changed, 34 insertions(+), 29 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index d9bea1c..442bd5d 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -449,11 +449,11 @@ static NTSTATUS ntlmssp_server_check_password(struct
gensec_security *gensec_sec
&gensec_ntlmssp->server_returned_info,
user_session_key,
lm_session_key);
}
- talloc_free(user_info);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(5, (__location__ ": Checking NTLMSSP password for %s\\%s
failed: %s\n", user_info->client.domain_name, user_info->client.account_name,
nt_errstr(nt_status)));
}
+ TALLOC_FREE(user_info);
NT_STATUS_NOT_OK_RETURN(nt_status);
diff --git a/source3/lib/system.c b/source3/lib/system.c
index d69f1c6..8dbf7dc 100644
--- a/source3/lib/system.c
+++ b/source3/lib/system.c
@@ -634,13 +634,11 @@ void kernel_flock(int fd, uint32 share_mode, uint32
access_mask)
/*******************************************************************
An fdopendir wrapper.
- Ugly hack - we need dirfd for this to work correctly in the
- calling code.. JRA.
********************************************************************/
DIR *sys_fdopendir(int fd)
{
-#if defined(HAVE_FDOPENDIR) && defined(HAVE_DIRFD)
+#if defined(HAVE_FDOPENDIR)
return fdopendir(fd);
#else
errno = ENOSYS;
diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
index a06fc5f..52bd6a1 100644
--- a/source3/smbd/dir.c
+++ b/source3/smbd/dir.c
@@ -50,6 +50,8 @@ struct smb_Dir {
struct name_cache_entry *name_cache;
unsigned int name_cache_index;
unsigned int file_number;
+ files_struct *fsp; /* Back pointer to containing fsp, only
+ set from OpenDir_fsp(). */
};
struct dptr_struct {
@@ -675,18 +677,11 @@ done:
void dptr_CloseDir(files_struct *fsp)
{
if (fsp->dptr) {
-/*
- * Ugly hack. We have defined fdopendir to return ENOSYS if dirfd also isn't
- * present. I hate Solaris. JRA.
- */
-#ifdef HAVE_DIRFD
- if (fsp->fh->fd != -1 &&
- fsp->dptr->dir_hnd &&
- dirfd(fsp->dptr->dir_hnd->dir)) {
- /* The call below closes the underlying fd. */
- fsp->fh->fd = -1;
- }
-#endif
+ /*
+ * The destructor for the struct smb_Dir
+ * (fsp->dptr->dir_hnd) now handles
+ * all resource deallocation.
+ */
dptr_close_internal(fsp->dptr);
fsp->dptr = NULL;
}
@@ -1442,18 +1437,21 @@ bool is_visible_file(connection_struct *conn, const
char *dir_path,
static int smb_Dir_destructor(struct smb_Dir *dirp)
{
- if (dirp->dir) {
-#ifdef HAVE_DIRFD
- if (dirp->conn->sconn) {
- files_struct *fsp = file_find_fd(dirp->conn->sconn,
- dirfd(dirp->dir));
- if (fsp) {
- /* The call below closes the underlying fd. */
- fsp->fh->fd = -1;
+ if (dirp->dir != NULL) {
+ SMB_VFS_CLOSEDIR(dirp->conn,dirp->dir);
+ if (dirp->fsp != NULL) {
+ /*
+ * The SMB_VFS_CLOSEDIR above
+ * closes the underlying fd inside
+ * dirp->fsp.
+ */
+ dirp->fsp->fh->fd = -1;
+ if (dirp->fsp->dptr != NULL) {
+ SMB_ASSERT(dirp->fsp->dptr->dir_hnd == dirp);
+ dirp->fsp->dptr->dir_hnd = NULL;
}
+ dirp->fsp = NULL;
}
-#endif
- SMB_VFS_CLOSEDIR(dirp->conn,dirp->dir);
}
if (dirp->conn->sconn && !dirp->conn->sconn->using_smb2) {
dirp->conn->sconn->searches.dirhandles_open--;
@@ -1537,7 +1535,9 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx,
connection_struct *conn,
if (fsp->is_directory && fsp->fh->fd != -1) {
dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
- if (dirp->dir == NULL) {
+ if (dirp->dir != NULL) {
+ dirp->fsp = fsp;
+ } else {
DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s
returned "
"NULL (%s)\n",
dirp->dir_path,
diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
index 0be566f..9b05de3 100644
--- a/source3/smbd/filename.c
+++ b/source3/smbd/filename.c
@@ -450,13 +450,17 @@ NTSTATUS unix_convert(TALLOC_CTX *ctx,
if (errno == ENOENT) {
/* Optimization when creating a new file - only
- the last component doesn't exist. */
+ the last component doesn't exist.
+ NOTE : check_parent_exists() doesn't preserve errno.
+ */
+ int saved_errno = errno;
status = check_parent_exists(ctx,
conn,
posix_pathnames,
smb_fname,
&dirpath,
&start);
+ errno = saved_errno;
if (!NT_STATUS_IS_OK(status)) {
goto fail;
}
@@ -529,13 +533,16 @@ NTSTATUS unix_convert(TALLOC_CTX *ctx,
* Optimization for common case where the wildcard
* is in the last component and the client already
* sent the correct case.
+ * NOTE : check_parent_exists() doesn't preserve errno.
*/
+ int saved_errno = errno;
status = check_parent_exists(ctx,
conn,
posix_pathnames,
smb_fname,
&dirpath,
&start);
+ errno = saved_errno;
if (!NT_STATUS_IS_OK(status)) {
goto fail;
}
diff --git a/source4/winbind/wb_server.c b/source4/winbind/wb_server.c
index a904470..bd2d361 100644
--- a/source4/winbind/wb_server.c
+++ b/source4/winbind/wb_server.c
@@ -75,7 +75,7 @@ static void wbsrv_call_loop(struct tevent_req *subreq)
if (!NT_STATUS_IS_OK(status)) {
const char *reason;
- reason = talloc_asprintf(call, "wbsrv_call_loop: "
+ reason = talloc_asprintf(wbsrv_conn, "wbsrv_call_loop: "
"tstream_read_pdu_blob_recv() - %s",
nt_errstr(status));
if (!reason) {
--
Samba Shared Repository
