From c167be702b4ac593f048e6ddb87011486734c9c9 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 17 Jul 2018 15:56:05 +0200
Subject: [PATCH 1/2] s4: torture: run test_durable_v2_open_reopen2_lease() in
 a subdirectory

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13535

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 725319743f1f2de934cbde477ca84430f5b2b4b4)
---
 selftest/knownfail.d/samba3.smb2.durable-v2-open |  1 +
 source4/torture/smb2/durable_v2_open.c           | 11 +++++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)
 create mode 100644 selftest/knownfail.d/samba3.smb2.durable-v2-open

diff --git a/selftest/knownfail.d/samba3.smb2.durable-v2-open b/selftest/knownfail.d/samba3.smb2.durable-v2-open
new file mode 100644
index 00000000000..facf1d0b543
--- /dev/null
+++ b/selftest/knownfail.d/samba3.smb2.durable-v2-open
@@ -0,0 +1 @@
+^samba3.smb2.durable-v2-open.reopen2-lease-v2\(nt4_dc\)$
diff --git a/source4/torture/smb2/durable_v2_open.c b/source4/torture/smb2/durable_v2_open.c
index 3a0e0707d2c..0a928ec8c26 100644
--- a/source4/torture/smb2/durable_v2_open.c
+++ b/source4/torture/smb2/durable_v2_open.c
@@ -1518,9 +1518,15 @@ bool test_durable_v2_open_reopen2_lease_v2(struct torture_context *tctx,
 
 	options = tree->session->transport->options;
 
+	smb2_deltree(tree, __func__);
+	status = torture_smb2_testdir(tree, __func__, &_h);
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					"torture_smb2_testdir failed\n");
+	smb2_util_close(tree, _h);
+
 	/* Choose a random name in case the state is left a little funky. */
-	snprintf(fname, 256, "durable_v2_open_reopen2_%s.dat",
-		 generate_random_str(tctx, 8));
+	snprintf(fname, 256, "%s\\durable_v2_open_reopen2_%s.dat",
+		 __func__, generate_random_str(tctx, 8));
 
 	smb2_util_unlink(tree, fname);
 
@@ -1726,6 +1732,7 @@ bool test_durable_v2_open_reopen2_lease_v2(struct torture_context *tctx,
 	}
 
 	smb2_util_unlink(tree, fname);
+	smb2_deltree(tree, __func__);
 
 	talloc_free(tree);
 
-- 
2.13.6


From 7b64f2729e6ba16b0a55a4510969ef7c44319883 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 17 Jul 2018 15:40:04 +0200
Subject: [PATCH 2/2] s3: smbd: fix path check in
 smbd_smb2_create_durable_lease_check()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13535

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit e60e9368cb3cb512e2506620d814187a692108e0)
---
 selftest/knownfail.d/samba3.smb2.durable-v2-open |  1 -
 source3/smbd/smb2_create.c                       | 16 +++++++++++++++-
 2 files changed, 15 insertions(+), 2 deletions(-)
 delete mode 100644 selftest/knownfail.d/samba3.smb2.durable-v2-open

diff --git a/selftest/knownfail.d/samba3.smb2.durable-v2-open b/selftest/knownfail.d/samba3.smb2.durable-v2-open
deleted file mode 100644
index facf1d0b543..00000000000
--- a/selftest/knownfail.d/samba3.smb2.durable-v2-open
+++ /dev/null
@@ -1 +0,0 @@
-^samba3.smb2.durable-v2-open.reopen2-lease-v2\(nt4_dc\)$
diff --git a/source3/smbd/smb2_create.c b/source3/smbd/smb2_create.c
index 8fbea238698..7f80f6f8138 100644
--- a/source3/smbd/smb2_create.c
+++ b/source3/smbd/smb2_create.c
@@ -381,6 +381,7 @@ static NTSTATUS smbd_smb2_create_durable_lease_check(struct smb_request *smb1req
 	const char *requested_filename, const struct files_struct *fsp,
 	const struct smb2_lease *lease_ptr)
 {
+	char *filename = NULL;
 	struct smb_filename *smb_fname = NULL;
 	uint32_t ucf_flags;
 	NTSTATUS status;
@@ -407,10 +408,23 @@ static NTSTATUS smbd_smb2_create_durable_lease_check(struct smb_request *smb1req
 		return NT_STATUS_OBJECT_NAME_NOT_FOUND;
 	}
 
+	filename = talloc_strdup(talloc_tos(), requested_filename);
+	if (filename == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	/* This also converts '\' to '/' */
+	status = check_path_syntax(filename);
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(filename);
+		return status;
+	}
+
 	ucf_flags = filename_create_ucf_flags(smb1req, FILE_OPEN);
 	status = filename_convert(talloc_tos(), fsp->conn,
-				  requested_filename, ucf_flags,
+				  filename, ucf_flags,
 				  NULL, &smb_fname);
+	TALLOC_FREE(filename);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(10, ("filename_convert returned %s\n",
 			   nt_errstr(status)));
-- 
2.13.6