The Samba-Bugzilla – Attachment 17626 Details for
Bug 15221
Core dump in 4.17.2 non_widelink_open (assert failed: slash == NULL)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
15221.txt (text/plain), 1.87 KB, created by
Volker Lendecke
on 2022-11-04 13:06:44 UTC
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Volker Lendecke
Created:
2022-11-04 13:06:44 UTC
Size:
1.87 KB
patch
obsolete
>From 5695af65160b285548c50e71b67c9dccf193dc9f Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Fri, 4 Nov 2022 13:53:21 +0100 >Subject: [PATCH] smbd: Fix Bug 15221 > >In 4.17 process_symlink_open() will replace smb_fname_rel->base_name with the >link target relative to the share root. So if the link target ends up in a >subdirectory of a share, we put a target including a slash into the memcache. > >Later access will trust the stat cache, passing the target directly to >openat_pathref_fsp() which will panic if it gets a real dirfsp and a relname >with a slash. > >Name mangling is not required: Accessing a symlink pointing at a subdirectory >at least 2 levels deep in the share with a wrong upper/lower case combination >reproduces it. > >This patch is really a workaround. The "real" fix would be to backport the >patches removing process_symlink_open() from master, but this is a bigger >change. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=15221 >Signed-off-by: Volker Lendecke <vl@samba.org> >--- > source3/smbd/filename.c | 16 ++++++++++------ > 1 file changed, 10 insertions(+), 6 deletions(-) > >diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c >index e7873eb124f..2e03c6a5ab7 100644 >--- a/source3/smbd/filename.c >+++ b/source3/smbd/filename.c >@@ -943,12 +943,16 @@ lookup: > } > > if (NT_STATUS_IS_OK(status) && (cache_key.data != NULL)) { >- DATA_BLOB value = { >- .data = (uint8_t *)smb_fname_rel->base_name, >- .length = strlen(smb_fname_rel->base_name) + 1, >- }; >- >- memcache_add(NULL, GETREALFILENAME_CACHE, cache_key, value); >+ const char *slash = strchr_m(smb_fname_rel->base_name, '/'); >+ >+ if (slash == NULL) { >+ DATA_BLOB value = { >+ .data = (uint8_t *)smb_fname_rel->base_name, >+ .length = strlen(smb_fname_rel->base_name) + 1, >+ }; >+ memcache_add( >+ NULL, GETREALFILENAME_CACHE, cache_key, value); >+ } > } > > TALLOC_FREE(cache_key.data); >-- >2.30.2 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=17626">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
slow
:
review+
Actions:
View
Attachments on
bug 15221
:
17611
| 17626