[SCM] Samba Shared Repository - branch master updated

Stefan Metzmacher Thu, 01 Aug 2019 08:40:35 -0700

The branch, master has been updated
       via  c226dc6e8a1 smbd: Fix use-after-free from exit_server_common()
       via  10e140d25cd s3:torture: Fix the FreeBSD build
       via  21f6cece543 libcli/smb: send SMB2_NETNAME_NEGOTIATE_CONTEXT_ID
       via  e10b90f33bb libcli/smb: add new COMPRESSION and NETNAME negotiate 
context ids
      from  f258cfaa1d0 vfs:glusterfs_fuse: build only if we have setmntent()


https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit c226dc6e8a18343031829c35552e557903593daf
Author: Volker Lendecke <v...@samba.org>
Date:   Wed Jul 31 14:17:02 2019 +0200

    smbd: Fix use-after-free from exit_server_common()
    
    We need to keep the smbXsrv_connection structures around until all
    pending requests have had their chance to clean up behind them. If you
    look at srv_send_smb(), it's exactly prepared already to just drop
    anything on the floor when the transport has been declared dead:
    
        if (!NT_STATUS_IS_OK(xconn->transport.status)) {
                /*
                 * we're not supposed to do any io
                 */
                return true;
        }
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=14064
    
    Signed-off-by: Volker Lendecke <v...@samba.org>
    Reviewed-by: Stefan Metzmacher <me...@samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <me...@samba.org>
    Autobuild-Date(master): Thu Aug  1 15:39:13 UTC 2019 on sn-devel-184

commit 10e140d25cd3cad8428e3b080ef28dd237d903d5
Author: Volker Lendecke <v...@samba.org>
Date:   Wed Jul 31 10:52:40 2019 +0200

    s3:torture: Fix the FreeBSD build
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=14060
    
    Signed-off-by: Volker Lendecke <v...@samba.org>
    Reviewed-by: Stefan Metzmacher <me...@samba.org>

commit 21f6cece543dd791e0f4636458bfe9819823420c
Author: Stefan Metzmacher <me...@samba.org>
Date:   Thu Jul 25 14:38:26 2019 +0200

    libcli/smb: send SMB2_NETNAME_NEGOTIATE_CONTEXT_ID
    
    Note: Unlike the current documentation, the utf16 string
    is not null-terminated, that matches Windows Server 1903
    as a client.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14055
    RN: Add the target server name of SMB 3.1.1 connections
    as a hint to load balancers or servers with "multi-tenancy"
    support.
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Aurelien Aptel <aap...@suse.com>

commit e10b90f33bb812600886656a1124e2d434416563
Author: Stefan Metzmacher <me...@samba.org>
Date:   Thu Jul 25 14:37:31 2019 +0200

    libcli/smb: add new COMPRESSION and NETNAME negotiate context ids
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14055
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Aurelien Aptel <aap...@suse.com>

-----------------------------------------------------------------------

Summary of changes:
 libcli/smb/smb2_constants.h |  2 ++
 libcli/smb/smbXcli_base.c   | 17 +++++++++++++++++
 source3/smbd/server_exit.c  | 22 +++++++++++++++-------
 source3/torture/torture.c   |  2 ++
 4 files changed, 36 insertions(+), 7 deletions(-)


Changeset truncated at 500 lines:

diff --git a/libcli/smb/smb2_constants.h b/libcli/smb/smb2_constants.h
index 3dd462cdd69..1430f02689c 100644
--- a/libcli/smb/smb2_constants.h
+++ b/libcli/smb/smb2_constants.h
@@ -131,6 +131,8 @@
 /* Types of SMB2 Negotiate Contexts - only in dialect >= 0x310 */
 #define SMB2_PREAUTH_INTEGRITY_CAPABILITIES 0x0001
 #define SMB2_ENCRYPTION_CAPABILITIES        0x0002
+#define SMB2_COMPRESSION_CAPABILITIES       0x0003
+#define SMB2_NETNAME_NEGOTIATE_CONTEXT_ID   0x0005
 
 /* Values for the SMB2_PREAUTH_INTEGRITY_CAPABILITIES Context (>= 0x310) */
 #define SMB2_PREAUTH_INTEGRITY_SHA512       0x0001
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 98c928795ec..0375101b034 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -4771,6 +4771,8 @@ static struct tevent_req 
*smbXcli_negprot_smb2_subreq(struct smbXcli_negprot_sta
        if (state->conn->max_protocol >= PROTOCOL_SMB3_10) {
                NTSTATUS status;
                struct smb2_negotiate_contexts c = { .num_contexts = 0, };
+               uint8_t *netname_utf16 = NULL;
+               size_t netname_utf16_len = 0;
                uint32_t offset;
                DATA_BLOB b;
                uint8_t p[38];
@@ -4803,6 +4805,21 @@ static struct tevent_req 
*smbXcli_negprot_smb2_subreq(struct smbXcli_negprot_sta
                        return NULL;
                }
 
+               ok = convert_string_talloc(state, CH_UNIX, CH_UTF16,
+                                          state->conn->remote_name,
+                                          strlen(state->conn->remote_name),
+                                          &netname_utf16, &netname_utf16_len);
+               if (!ok) {
+                       return NULL;
+               }
+
+               status = smb2_negotiate_context_add(state, &c,
+                                       SMB2_NETNAME_NEGOTIATE_CONTEXT_ID,
+                                       netname_utf16, netname_utf16_len);
+               if (!NT_STATUS_IS_OK(status)) {
+                       return NULL;
+               }
+
                status = smb2_negotiate_context_push(state, &b, c);
                if (!NT_STATUS_IS_OK(status)) {
                        return NULL;
diff --git a/source3/smbd/server_exit.c b/source3/smbd/server_exit.c
index ba5e6c7ff1e..d51b73d5131 100644
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -93,7 +93,6 @@ static void exit_server_common(enum server_exit_reason how,
 {
        struct smbXsrv_client *client = global_smbXsrv_client;
        struct smbXsrv_connection *xconn = NULL;
-       struct smbXsrv_connection *xconn_next = NULL;
        struct smbd_server_connection *sconn = NULL;
        struct messaging_context *msg_ctx = global_messaging_context();
 
@@ -112,10 +111,7 @@ static void exit_server_common(enum server_exit_reason how,
        /*
         * Here we typically have just one connection
         */
-       for (; xconn != NULL; xconn = xconn_next) {
-               xconn_next = xconn->next;
-               DLIST_REMOVE(client->connections, xconn);
-
+       for (; xconn != NULL; xconn = xconn->next) {
                /*
                 * This is typically the disconnect for the only
                 * (or with multi-channel last) connection of the client
@@ -130,8 +126,6 @@ static void exit_server_common(enum server_exit_reason how,
                                break;
                        }
                }
-
-               TALLOC_FREE(xconn);
                DO_PROFILE_INC(disconnect);
        }
 
@@ -174,6 +168,20 @@ static void exit_server_common(enum server_exit_reason how,
 
        change_to_root_user();
 
+       if (client != NULL) {
+               struct smbXsrv_connection *xconn_next = NULL;
+
+               for (xconn = client->connections;
+                    xconn != NULL;
+                    xconn = xconn_next) {
+                       xconn_next = xconn->next;
+                       DLIST_REMOVE(client->connections, xconn);
+                       TALLOC_FREE(xconn);
+               }
+       }
+
+       change_to_root_user();
+
        /* 3 second timeout. */
        print_notify_send_messages(msg_ctx, 3);
 
diff --git a/source3/torture/torture.c b/source3/torture/torture.c
index ad6b3458f3c..2779e8e3aa8 100644
--- a/source3/torture/torture.c
+++ b/source3/torture/torture.c
@@ -13993,10 +13993,12 @@ static struct {
                .name  = "OPLOCK4",
                .fn    =  run_oplock4,
        },
+#ifdef HAVE_KERNEL_OPLOCKS_LINUX
        {
                .name  = "OPLOCK5",
                .fn    =  run_oplock5,
        },
+#endif
        {
                .name  = "DIR",
                .fn    =  run_dirtest,


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

Reply via email to