The Samba-Bugzilla – Attachment 13755 Details for
Bug 13118
Setting delete on close on a directory handle in the middle of an SMB2 find crashes smbd.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for master.
master-13118.patch (text/plain), 4.89 KB, created by
Jeremy Allison
on 2017-11-03 22:41:19 UTC
(
hide
)
Description:
git-am fix for master.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2017-11-03 22:41:19 UTC
Size:
4.89 KB
patch
obsolete
>From 86f31ccb577a5a9215eaf638bf4b0d027cb91bed Mon Sep 17 00:00:00 2001 >From: Ralph Wuerthner <ralph.wuerthner@de.ibm.com> >Date: Fri, 3 Nov 2017 22:33:28 +0000 >Subject: [PATCH 1/2] s3: smbd: Fix delete-on-close after smb2_find > >Both dptr_create() and can_delete_directory_fsp() are calling OpenDir_fsp() >to get a directory handle. This causes an issue when delete-on-close is >set after smb2_find because both directory handle instances share the same >underlying file descriptor. In addition the SMB_ASSERT() in destructor >smb_Dir_destructor() gets triggered. > >To avoid this use OpenDir() instead of OpenDir_fsp(). > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13118 > >Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com> >Reviewed-by: Jeremy Allison <jra@samba.org> >--- > source3/smbd/dir.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c >index cb54be4de76..19e29640118 100644 >--- a/source3/smbd/dir.c >+++ b/source3/smbd/dir.c >@@ -2128,9 +2128,9 @@ NTSTATUS can_delete_directory_fsp(files_struct *fsp) > char *talloced = NULL; > SMB_STRUCT_STAT st; > struct connection_struct *conn = fsp->conn; >- struct smb_Dir *dir_hnd = OpenDir_fsp(talloc_tos(), >+ struct smb_Dir *dir_hnd = OpenDir(talloc_tos(), > conn, >- fsp, >+ fsp->fsp_name, > NULL, > 0); > >-- >2.15.0.403.gc27cc4dac6-goog > > >From f541e6870924c5cb0d160c726d4cb66cd75689ad Mon Sep 17 00:00:00 2001 >From: Ralph Wuerthner <ralph.wuerthner@de.ibm.com> >Date: Fri, 27 Oct 2017 14:59:32 +0200 >Subject: [PATCH 2/2] s4: torture: Add smb2 FIND_and_set_DOC test case. > >Regression tests doing an SMB2_find followed by >a set delete on close and then close on a directory. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13118 > >Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com> >Reviewed-by: Jeremy Allison <jra@samba.org> >--- > source4/torture/smb2/delete-on-close.c | 66 ++++++++++++++++++++++++++++++++++ > 1 file changed, 66 insertions(+) > >diff --git a/source4/torture/smb2/delete-on-close.c b/source4/torture/smb2/delete-on-close.c >index 44ef33ec6f8..2312df285a3 100644 >--- a/source4/torture/smb2/delete-on-close.c >+++ b/source4/torture/smb2/delete-on-close.c >@@ -516,6 +516,71 @@ static bool test_doc_create_if_exist(struct torture_context *tctx, struct smb2_t > return true; > } > >+static bool test_doc_find_and_set_doc(struct torture_context *tctx, struct smb2_tree *tree) >+{ >+ struct smb2_create io; >+ struct smb2_find find; >+ NTSTATUS status; >+ union smb_search_data *d; >+ union smb_setfileinfo sfinfo; >+ unsigned int count; >+ uint32_t perms = 0; >+ >+ perms = SEC_STD_SYNCHRONIZE | SEC_STD_READ_CONTROL | SEC_STD_DELETE | >+ SEC_DIR_WRITE_ATTRIBUTE | SEC_DIR_READ_ATTRIBUTE | >+ SEC_DIR_WRITE_EA | SEC_FILE_APPEND_DATA | >+ SEC_FILE_WRITE_DATA | SEC_DIR_LIST; >+ >+ /* File should not exist for this first test, so make sure */ >+ set_dir_delete_perms(tctx, tree); >+ >+ smb2_deltree(tree, DNAME); >+ >+ create_dir(tctx, tree); >+ >+ torture_comment(tctx, "FIND and delete directory\n"); >+ torture_comment(tctx, "We expect NT_STATUS_OK\n"); >+ >+ /* open the directory first */ >+ ZERO_STRUCT(io); >+ io.in.desired_access = perms; >+ io.in.file_attributes = FILE_ATTRIBUTE_DIRECTORY; >+ io.in.create_disposition = NTCREATEX_DISP_OPEN_IF; >+ io.in.share_access = NTCREATEX_SHARE_ACCESS_READ | >+ NTCREATEX_SHARE_ACCESS_DELETE; >+ io.in.create_options = NTCREATEX_OPTIONS_DIRECTORY; >+ io.in.fname = DNAME; >+ >+ status = smb2_create(tree, tctx, &io); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ >+ /* list directory */ >+ ZERO_STRUCT(find); >+ find.in.file.handle = io.out.file.handle; >+ find.in.pattern = "*"; >+ find.in.continue_flags = SMB2_CONTINUE_FLAG_SINGLE; >+ find.in.max_response_size = 0x100; >+ find.in.level = SMB2_FIND_BOTH_DIRECTORY_INFO; >+ >+ /* start enumeration on directory */ >+ status = smb2_find_level(tree, tree, &find, &count, &d); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ >+ /* set delete-on-close */ >+ ZERO_STRUCT(sfinfo); >+ sfinfo.generic.level = RAW_SFILEINFO_DISPOSITION_INFORMATION; >+ sfinfo.disposition_info.in.delete_on_close = 1; >+ sfinfo.generic.in.file.handle = io.out.file.handle; >+ status = smb2_setinfo_file(tree, &sfinfo); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ >+ /* close directory */ >+ status = smb2_util_close(tree, io.out.file.handle); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ return true; >+} >+ >+ > /* > * Extreme testing of Delete On Close and permissions > */ >@@ -529,6 +594,7 @@ struct torture_suite *torture_smb2_doc_init(TALLOC_CTX *ctx) > torture_suite_add_1smb2_test(suite, "CREATE Existing", test_doc_create_exist); > torture_suite_add_1smb2_test(suite, "CREATE_IF", test_doc_create_if); > torture_suite_add_1smb2_test(suite, "CREATE_IF Existing", test_doc_create_if_exist); >+ torture_suite_add_1smb2_test(suite, "FIND_and_set_DOC", test_doc_find_and_set_doc); > > suite->description = talloc_strdup(suite, "SMB2-Delete-on-Close-Perms tests"); > >-- >2.15.0.403.gc27cc4dac6-goog >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
slow
:
review+
Actions:
View
Attachments on
bug 13118
:
13754
| 13755 |
13761