From 634694af4c2c42206adaf49e8231f6555a1de4eb Mon Sep 17 00:00:00 2001 From: Ralph Wuerthner Date: Wed, 1 Nov 2017 14:13:25 +0100 Subject: [PATCH 1/2] s3: smbd: Fix delete-on-close after smb2_find Both dptr_create() and can_delete_directory_fsp() are calling OpenDir_fsp() to get a directory handle. This is causing an issue when delete-on-close is set after smb2_find because both directory handle instances share the same underlying file descriptor. In addition the SMB_ASSERT() in destructor smb_Dir_destructor() gets triggered. To avoid this use OpenDir() instead of OpenDir_fsp(). Signed-off-by: Ralph Wuerthner --- source3/smbd/dir.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c index 8d83fba..8e591ed 100644 --- a/source3/smbd/dir.c +++ b/source3/smbd/dir.c @@ -2132,9 +2132,9 @@ NTSTATUS can_delete_directory_fsp(files_struct *fsp) char *talloced = NULL; SMB_STRUCT_STAT st; struct connection_struct *conn = fsp->conn; - struct smb_Dir *dir_hnd = OpenDir_fsp(talloc_tos(), + struct smb_Dir *dir_hnd = OpenDir(talloc_tos(), conn, - fsp, + fsp->fsp_name, NULL, 0); -- 2.7.4 From 8399e0abd3cf8482fd7168ed017d03b9dff4e437 Mon Sep 17 00:00:00 2001 From: Ralph Wuerthner Date: Fri, 27 Oct 2017 14:59:32 +0200 Subject: [PATCH 2/2] Add FIND and set DOC test case. Signed-off-by: Ralph Wuerthner --- source4/torture/smb2/delete-on-close.c | 67 ++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/source4/torture/smb2/delete-on-close.c b/source4/torture/smb2/delete-on-close.c index 44ef33e..b7c41e9 100644 --- a/source4/torture/smb2/delete-on-close.c +++ b/source4/torture/smb2/delete-on-close.c @@ -516,6 +516,72 @@ static bool test_doc_create_if_exist(struct torture_context *tctx, struct smb2_t return true; } +static bool test_doc_find_and_set_doc(struct torture_context *tctx, struct smb2_tree *tree) +{ + struct smb2_create io; + struct smb2_find find; + NTSTATUS status; + union smb_search_data *d; + union smb_setfileinfo sfinfo; + unsigned int count; + uint32_t perms = 0; + int i; + + perms = SEC_STD_SYNCHRONIZE | SEC_STD_READ_CONTROL | SEC_STD_DELETE | + SEC_DIR_WRITE_ATTRIBUTE | SEC_DIR_READ_ATTRIBUTE | + SEC_DIR_WRITE_EA | SEC_FILE_APPEND_DATA | + SEC_FILE_WRITE_DATA | SEC_DIR_LIST; + + /* File should not exist for this first test, so make sure */ + set_dir_delete_perms(tctx, tree); + + smb2_deltree(tree, DNAME); + + create_dir(tctx, tree); + + torture_comment(tctx, "FIND and delete directory\n"); + torture_comment(tctx, "We expect NT_STATUS_OK\n"); + + /* open the directory first */ + ZERO_STRUCT(io); + io.in.desired_access = perms; + io.in.file_attributes = FILE_ATTRIBUTE_DIRECTORY; + io.in.create_disposition = NTCREATEX_DISP_OPEN_IF; + io.in.share_access = NTCREATEX_SHARE_ACCESS_READ | + NTCREATEX_SHARE_ACCESS_DELETE; + io.in.create_options = NTCREATEX_OPTIONS_DIRECTORY; + io.in.fname = DNAME; + + status = smb2_create(tree, tctx, &io); + CHECK_STATUS(status, NT_STATUS_OK); + + /* list directory */ + ZERO_STRUCT(find); + find.in.file.handle = io.out.file.handle; + find.in.pattern = "*"; + find.in.continue_flags = SMB2_CONTINUE_FLAG_SINGLE; + find.in.max_response_size = 0x100; + find.in.level = SMB2_FIND_BOTH_DIRECTORY_INFO; + + /* start enumeration on directory */ + status = smb2_find_level(tree, tree, &find, &count, &d); + CHECK_STATUS(status, NT_STATUS_OK); + + /* set delete-on-close */ + ZERO_STRUCT(sfinfo); + sfinfo.generic.level = RAW_SFILEINFO_DISPOSITION_INFORMATION; + sfinfo.disposition_info.in.delete_on_close = 1; + sfinfo.generic.in.file.handle = io.out.file.handle; + status = smb2_setinfo_file(tree, &sfinfo); + CHECK_STATUS(status, NT_STATUS_OK); + + /* close directory */ + status = smb2_util_close(tree, io.out.file.handle); + CHECK_STATUS(status, NT_STATUS_OK); + return true; +} + + /* * Extreme testing of Delete On Close and permissions */ @@ -529,6 +595,7 @@ struct torture_suite *torture_smb2_doc_init(TALLOC_CTX *ctx) torture_suite_add_1smb2_test(suite, "CREATE Existing", test_doc_create_exist); torture_suite_add_1smb2_test(suite, "CREATE_IF", test_doc_create_if); torture_suite_add_1smb2_test(suite, "CREATE_IF Existing", test_doc_create_if_exist); + torture_suite_add_1smb2_test(suite, "FIND and set DOC", test_doc_find_and_set_doc); suite->description = talloc_strdup(suite, "SMB2-Delete-on-Close-Perms tests"); -- 2.7.4