From b751c35833800fe287cfc7d033d95c8525405cb2 Mon Sep 17 00:00:00 2001
From: Jones Syue <jonessyue@qnap.com>
Date: Wed, 2 Aug 2023 09:48:40 +0800
Subject: [PATCH] vfs_aio_pthread: fix segfault if samba-tool ntacl get

If configured as AD DC and aio_pthread appended into 'vfs objects'[1],
run these commands would get segfault:
1. sudo samba-tool ntacl get .
2. sudo net vfs getntacl sysvol .
gdb said it goes through aio_pthread_openat_fn() @ vfs_aio_pthread.c[2],
and the fsp->conn->sconn->client is null (0x0).

'sconn->client' memory is allocated when a new connection is accpeted:
smbd_accept_connection > smbd_process > smbXsrv_client_create
While running local commands looks like it would not go through
smbXsrv_client_create so the 'client' is null, segfault might happen.
We should not dereference 'client->server_multi_channel_enabled',
if 'client' is null.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15441

[1] smb.conf example, samba-4.18.5, ubuntu 22.04.2
[global]
        dns forwarder = 127.0.0.53
        netbios name = U22-JONES-88X1
        realm = U22-JONES-88X1.X88X1.JONES
        server role = active directory domain controller
        workgroup = X88X1
        idmap_ldb:use rfc2307 = yes
        vfs objects = dfs_samba4 acl_xattr aio_pthread

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/u22-jones-88x1.x88x1.jones/scripts
        read only = No

[2] gdb
(gdb) run /usr/local/samba/bin/samba-tool ntacl get .
Starting program: /usr/local/Python3/bin/python3 /usr/local/samba/bin/samba-tool ntacl get .
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007fffd0eb809e in aio_pthread_openat_fn (handle=0x8d5cc0, dirfsp=0x8c3070, smb_fname=0x18ab4f0, fsp=0x1af3550, flags=196608, mode=0)
    at ../../source3/modules/vfs_aio_pthread.c:467
warning: Source file is more recent than executable.
467             if (fsp->conn->sconn->client->server_multi_channel_enabled) {
(gdb) bt
    at ../../source3/modules/vfs_aio_pthread.c:467
    at ../../source3/smbd/pysmbd.c:320
---Type <return> to continue, or q <return> to quit---
(gdb) f
    at ../../source3/modules/vfs_aio_pthread.c:467
467             if (fsp->conn->sconn->client->server_multi_channel_enabled) {
(gdb) p fsp->conn->sconn->client
$1 = (struct smbXsrv_client *) 0x0
(gdb)

Signed-off-by: Jones Syue <jonessyue@qnap.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(backported from commit 8f4c1c67b4f118a9a47b09ac7908cd3d969b19c2)
[jonessyue@qnap.com: 4.18/4.17 does not have 3694f2ce sconn->pool checks]
---
 source3/modules/vfs_aio_pthread.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/source3/modules/vfs_aio_pthread.c b/source3/modules/vfs_aio_pthread.c
index 5d051b4..3b5d64c 100644
--- a/source3/modules/vfs_aio_pthread.c
+++ b/source3/modules/vfs_aio_pthread.c
@@ -468,7 +468,8 @@ static int aio_pthread_openat_fn(vfs_handle_struct *handle,
 		return -1;
 	}
 
-	if (fsp->conn->sconn->client->server_multi_channel_enabled) {
+	if (fsp->conn->sconn->client != NULL &&
+	    fsp->conn->sconn->client->server_multi_channel_enabled) {
 		/*
 		 * This module is not compatible with multi channel yet.
 		 */
-- 
2.1.4