The branch, master has been updated via c226dc6e8a1 smbd: Fix use-after-free from exit_server_common() via 10e140d25cd s3:torture: Fix the FreeBSD build via 21f6cece543 libcli/smb: send SMB2_NETNAME_NEGOTIATE_CONTEXT_ID via e10b90f33bb libcli/smb: add new COMPRESSION and NETNAME negotiate context ids from f258cfaa1d0 vfs:glusterfs_fuse: build only if we have setmntent()
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit c226dc6e8a18343031829c35552e557903593daf Author: Volker Lendecke <v...@samba.org> Date: Wed Jul 31 14:17:02 2019 +0200 smbd: Fix use-after-free from exit_server_common() We need to keep the smbXsrv_connection structures around until all pending requests have had their chance to clean up behind them. If you look at srv_send_smb(), it's exactly prepared already to just drop anything on the floor when the transport has been declared dead: if (!NT_STATUS_IS_OK(xconn->transport.status)) { /* * we're not supposed to do any io */ return true; } Bug: https://bugzilla.samba.org/show_bug.cgi?id=14064 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Thu Aug 1 15:39:13 UTC 2019 on sn-devel-184 commit 10e140d25cd3cad8428e3b080ef28dd237d903d5 Author: Volker Lendecke <v...@samba.org> Date: Wed Jul 31 10:52:40 2019 +0200 s3:torture: Fix the FreeBSD build Bug: https://bugzilla.samba.org/show_bug.cgi?id=14060 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 21f6cece543dd791e0f4636458bfe9819823420c Author: Stefan Metzmacher <me...@samba.org> Date: Thu Jul 25 14:38:26 2019 +0200 libcli/smb: send SMB2_NETNAME_NEGOTIATE_CONTEXT_ID Note: Unlike the current documentation, the utf16 string is not null-terminated, that matches Windows Server 1903 as a client. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14055 RN: Add the target server name of SMB 3.1.1 connections as a hint to load balancers or servers with "multi-tenancy" support. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Aurelien Aptel <aap...@suse.com> commit e10b90f33bb812600886656a1124e2d434416563 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Jul 25 14:37:31 2019 +0200 libcli/smb: add new COMPRESSION and NETNAME negotiate context ids BUG: https://bugzilla.samba.org/show_bug.cgi?id=14055 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Aurelien Aptel <aap...@suse.com> ----------------------------------------------------------------------- Summary of changes: libcli/smb/smb2_constants.h | 2 ++ libcli/smb/smbXcli_base.c | 17 +++++++++++++++++ source3/smbd/server_exit.c | 22 +++++++++++++++------- source3/torture/torture.c | 2 ++ 4 files changed, 36 insertions(+), 7 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/smb/smb2_constants.h b/libcli/smb/smb2_constants.h index 3dd462cdd69..1430f02689c 100644 --- a/libcli/smb/smb2_constants.h +++ b/libcli/smb/smb2_constants.h @@ -131,6 +131,8 @@ /* Types of SMB2 Negotiate Contexts - only in dialect >= 0x310 */ #define SMB2_PREAUTH_INTEGRITY_CAPABILITIES 0x0001 #define SMB2_ENCRYPTION_CAPABILITIES 0x0002 +#define SMB2_COMPRESSION_CAPABILITIES 0x0003 +#define SMB2_NETNAME_NEGOTIATE_CONTEXT_ID 0x0005 /* Values for the SMB2_PREAUTH_INTEGRITY_CAPABILITIES Context (>= 0x310) */ #define SMB2_PREAUTH_INTEGRITY_SHA512 0x0001 diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index 98c928795ec..0375101b034 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -4771,6 +4771,8 @@ static struct tevent_req *smbXcli_negprot_smb2_subreq(struct smbXcli_negprot_sta if (state->conn->max_protocol >= PROTOCOL_SMB3_10) { NTSTATUS status; struct smb2_negotiate_contexts c = { .num_contexts = 0, }; + uint8_t *netname_utf16 = NULL; + size_t netname_utf16_len = 0; uint32_t offset; DATA_BLOB b; uint8_t p[38]; @@ -4803,6 +4805,21 @@ static struct tevent_req *smbXcli_negprot_smb2_subreq(struct smbXcli_negprot_sta return NULL; } + ok = convert_string_talloc(state, CH_UNIX, CH_UTF16, + state->conn->remote_name, + strlen(state->conn->remote_name), + &netname_utf16, &netname_utf16_len); + if (!ok) { + return NULL; + } + + status = smb2_negotiate_context_add(state, &c, + SMB2_NETNAME_NEGOTIATE_CONTEXT_ID, + netname_utf16, netname_utf16_len); + if (!NT_STATUS_IS_OK(status)) { + return NULL; + } + status = smb2_negotiate_context_push(state, &b, c); if (!NT_STATUS_IS_OK(status)) { return NULL; diff --git a/source3/smbd/server_exit.c b/source3/smbd/server_exit.c index ba5e6c7ff1e..d51b73d5131 100644 --- a/source3/smbd/server_exit.c +++ b/source3/smbd/server_exit.c @@ -93,7 +93,6 @@ static void exit_server_common(enum server_exit_reason how, { struct smbXsrv_client *client = global_smbXsrv_client; struct smbXsrv_connection *xconn = NULL; - struct smbXsrv_connection *xconn_next = NULL; struct smbd_server_connection *sconn = NULL; struct messaging_context *msg_ctx = global_messaging_context(); @@ -112,10 +111,7 @@ static void exit_server_common(enum server_exit_reason how, /* * Here we typically have just one connection */ - for (; xconn != NULL; xconn = xconn_next) { - xconn_next = xconn->next; - DLIST_REMOVE(client->connections, xconn); - + for (; xconn != NULL; xconn = xconn->next) { /* * This is typically the disconnect for the only * (or with multi-channel last) connection of the client @@ -130,8 +126,6 @@ static void exit_server_common(enum server_exit_reason how, break; } } - - TALLOC_FREE(xconn); DO_PROFILE_INC(disconnect); } @@ -174,6 +168,20 @@ static void exit_server_common(enum server_exit_reason how, change_to_root_user(); + if (client != NULL) { + struct smbXsrv_connection *xconn_next = NULL; + + for (xconn = client->connections; + xconn != NULL; + xconn = xconn_next) { + xconn_next = xconn->next; + DLIST_REMOVE(client->connections, xconn); + TALLOC_FREE(xconn); + } + } + + change_to_root_user(); + /* 3 second timeout. */ print_notify_send_messages(msg_ctx, 3); diff --git a/source3/torture/torture.c b/source3/torture/torture.c index ad6b3458f3c..2779e8e3aa8 100644 --- a/source3/torture/torture.c +++ b/source3/torture/torture.c @@ -13993,10 +13993,12 @@ static struct { .name = "OPLOCK4", .fn = run_oplock4, }, +#ifdef HAVE_KERNEL_OPLOCKS_LINUX { .name = "OPLOCK5", .fn = run_oplock5, }, +#endif { .name = "DIR", .fn = run_dirtest, -- Samba Shared Repository