The Samba-Bugzilla – Attachment 16674 Details for
Bug 14752
smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for v4-14-test
tmp414.diff.txt (text/plain), 2.87 KB, created by
Stefan Metzmacher
on 2021-07-08 09:09:41 UTC
(
hide
)
Description:
Patch for v4-14-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2021-07-08 09:09:41 UTC
Size:
2.87 KB
patch
obsolete
>From 0de2cbb4b4c85bba67abbe83c6b5a99b5a3ec90e Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 5 Jul 2021 17:17:30 +0200 >Subject: [PATCH] smbXsrv_{open,session,tcon}: protect > smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records > >I saw systems with locking.tdb records being part of: > ctdb catdb smbXsrv_tcon_global.tdb > >It's yet unknown how that happened, but we should not panic in srvsvc_* >calls because the info0 pointer was NULL. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14752 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Volker Lendecke <vl@samba.org> > >Autobuild-User(master): Stefan Metzmacher <metze@samba.org> >Autobuild-Date(master): Tue Jul 6 11:08:43 UTC 2021 on sn-devel-184 > >(cherry picked from commit 00bab5b3c821f272153a25ded9743460887a7907) >--- > source3/smbd/smbXsrv_open.c | 9 +++++++++ > source3/smbd/smbXsrv_session.c | 7 +++++++ > source3/smbd/smbXsrv_tcon.c | 7 +++++++ > 3 files changed, 23 insertions(+) > >diff --git a/source3/smbd/smbXsrv_open.c b/source3/smbd/smbXsrv_open.c >index 5180315449da..871820ac8764 100644 >--- a/source3/smbd/smbXsrv_open.c >+++ b/source3/smbd/smbXsrv_open.c >@@ -1468,6 +1468,15 @@ static NTSTATUS smbXsrv_open_global_parse_record(TALLOC_CTX *mem_ctx, > goto done; > } > >+ if (global_blob.info.info0 == NULL) { >+ status = NT_STATUS_INTERNAL_DB_CORRUPTION; >+ DEBUG(1,("Invalid record in smbXsrv_tcon_global.tdb:" >+ "key '%s' info0 NULL pointer - %s\n", >+ hex_encode_talloc(frame, key.dptr, key.dsize), >+ nt_errstr(status))); >+ goto done; >+ } >+ > *global = talloc_move(mem_ctx, &global_blob.info.info0); > status = NT_STATUS_OK; > done: >diff --git a/source3/smbd/smbXsrv_session.c b/source3/smbd/smbXsrv_session.c >index 05cf4a095eee..066e0ee9e22c 100644 >--- a/source3/smbd/smbXsrv_session.c >+++ b/source3/smbd/smbXsrv_session.c >@@ -2235,6 +2235,13 @@ static int smbXsrv_session_global_traverse_fn(struct db_record *rec, void *data) > goto done; > } > >+ if (global_blob.info.info0 == NULL) { >+ DEBUG(1,("Invalid record in smbXsrv_tcon_global.tdb:" >+ "key '%s' info0 NULL pointer\n", >+ hex_encode_talloc(frame, key.dptr, key.dsize))); >+ goto done; >+ } >+ > global_blob.info.info0->db_rec = rec; > ret = state->fn(global_blob.info.info0, state->private_data); > done: >diff --git a/source3/smbd/smbXsrv_tcon.c b/source3/smbd/smbXsrv_tcon.c >index d6c2bca0abca..8a0c427597cc 100644 >--- a/source3/smbd/smbXsrv_tcon.c >+++ b/source3/smbd/smbXsrv_tcon.c >@@ -1208,6 +1208,13 @@ static int smbXsrv_tcon_global_traverse_fn(struct db_record *rec, void *data) > goto done; > } > >+ if (global_blob.info.info0 == NULL) { >+ DEBUG(1,("Invalid record in smbXsrv_tcon_global.tdb:" >+ "key '%s' info0 NULL pointer\n", >+ hex_encode_talloc(frame, key.dptr, key.dsize))); >+ goto done; >+ } >+ > global_blob.info.info0->db_rec = rec; > ret = state->fn(global_blob.info.info0, state->private_data); > done: >-- >2.25.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
vl
:
review+
Actions:
View
Attachments on
bug 14752
: 16674 |
16675