From 8499ecab7ff52d456ecbe77b49d26eeb14cee626 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 20 Sep 2023 10:53:52 -0700 Subject: [PATCH 1/2] tests: Add reproducer for BZ15481 Bug: https://bugzilla.samba.org/show_bug.cgi?id=15481 Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison (cherry picked from commit 56df75d44795582dcecb8676a0d80d6f4a46c7e9) --- python/samba/tests/libsmb-basic.py | 27 +++++++++++++++++++++++++++ selftest/knownfail.d/bug-15481 | 1 + 2 files changed, 28 insertions(+) create mode 100644 selftest/knownfail.d/bug-15481 diff --git a/python/samba/tests/libsmb-basic.py b/python/samba/tests/libsmb-basic.py index cbe7cce5bae..163c5b09ea9 100644 --- a/python/samba/tests/libsmb-basic.py +++ b/python/samba/tests/libsmb-basic.py @@ -215,6 +215,33 @@ class LibsmbTestCase(samba.tests.libsmb.LibsmbTests): c1.unlink("x") c1 = None + def test_gencache_pollution_bz15481(self): + c = libsmb.Conn(self.server_ip, "tmp", self.lp, self.creds) + fh = c.create("file", + DesiredAccess=security.SEC_STD_DELETE, + CreateDisposition=libsmb.FILE_CREATE) + + # prime the gencache File->file + fh_upper = c.create("File", + DesiredAccess=security.SEC_FILE_READ_ATTRIBUTE, + CreateDisposition=libsmb.FILE_OPEN) + c.close(fh_upper) + + c.delete_on_close(fh, 1) + c.close(fh) + + fh = c.create("File", + DesiredAccess=security.SEC_STD_DELETE, + CreateDisposition=libsmb.FILE_CREATE) + + directory = c.list("\\", "File") + + c.delete_on_close(fh, 1) + c.close(fh) + + # Without the bugfix for 15481 we get 'file' not 'File' + self.assertEqual(directory[0]['name'], 'File') + if __name__ == "__main__": import unittest unittest.main() diff --git a/selftest/knownfail.d/bug-15481 b/selftest/knownfail.d/bug-15481 new file mode 100644 index 00000000000..e4ca91c8d67 --- /dev/null +++ b/selftest/knownfail.d/bug-15481 @@ -0,0 +1 @@ +^samba.tests.libsmb-basic.samba.tests.libsmb-basic.LibsmbTestCase.test_gencache_pollution_bz15481 -- 2.39.3 From 31ba45b4f8dcf5d6b1da73782725b8ae9b917387 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 19 Sep 2023 17:44:56 -0700 Subject: [PATCH 2/2] smbd: Fix BZ15481 Bug: https://bugzilla.samba.org/show_bug.cgi?id=15481 Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Wed Sep 20 22:42:48 UTC 2023 on atb-devel-224 (cherry picked from commit 3481bbfede5127e3664bcf464a0ae3dec9247ab7) --- selftest/knownfail.d/bug-15481 | 1 - source3/smbd/filename.c | 12 +++++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) delete mode 100644 selftest/knownfail.d/bug-15481 diff --git a/selftest/knownfail.d/bug-15481 b/selftest/knownfail.d/bug-15481 deleted file mode 100644 index e4ca91c8d67..00000000000 --- a/selftest/knownfail.d/bug-15481 +++ /dev/null @@ -1 +0,0 @@ -^samba.tests.libsmb-basic.samba.tests.libsmb-basic.LibsmbTestCase.test_gencache_pollution_bz15481 diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c index 9bd3ee77547..b00f85171ca 100644 --- a/source3/smbd/filename.c +++ b/source3/smbd/filename.c @@ -784,6 +784,7 @@ static NTSTATUS openat_pathref_fsp_case_insensitive( if (lp_stat_cache()) { char *base_name = smb_fname_rel->base_name; + char *original_relname = NULL; DATA_BLOB value = { .data = NULL }; ok = get_real_filename_cache_key( @@ -805,7 +806,13 @@ static NTSTATUS openat_pathref_fsp_case_insensitive( } DO_PROFILE_INC(statcache_hits); - TALLOC_FREE(smb_fname_rel->base_name); + /* + * For the "new filename" case we need to preserve the + * capitalization the client sent us, see + * https://bugzilla.samba.org/show_bug.cgi?id=15481 + */ + original_relname = smb_fname_rel->base_name; + smb_fname_rel->base_name = talloc_memdup( smb_fname_rel, value.data, value.length); if (smb_fname_rel->base_name == NULL) { @@ -823,10 +830,13 @@ static NTSTATUS openat_pathref_fsp_case_insensitive( status = openat_pathref_fsp(dirfsp, smb_fname_rel); if (NT_STATUS_IS_OK(status)) { TALLOC_FREE(cache_key.data); + TALLOC_FREE(original_relname); return NT_STATUS_OK; } memcache_delete(NULL, GETREALFILENAME_CACHE, cache_key); + TALLOC_FREE(smb_fname_rel->base_name); + smb_fname_rel->base_name = original_relname; } lookup: -- 2.39.3