From 777930ee6d2edbcae85998c1d36102a48ce34ba4 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 10 Nov 2011 10:39:34 +0100 Subject: [PATCH 1/3] s3:smbd: avoid string_set() in dir.c And do some more error checks. metze --- source3/smbd/dir.c | 11 +++++++++-- 1 files changed, 9 insertions(+), 2 deletions(-) diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c index 9969693..e6f431e 100644 --- a/source3/smbd/dir.c +++ b/source3/smbd/dir.c @@ -279,7 +279,7 @@ done: /* Lanman 2 specific code */ SAFE_FREE(dptr->wcard); - string_set(&dptr->path,""); + SAFE_FREE(dptr->path); SAFE_FREE(dptr); } @@ -534,7 +534,13 @@ NTSTATUS dptr_create(connection_struct *conn, files_struct *fsp, dptr->dnum += 1; /* Always bias the dnum by one - no zero dnums allowed. */ - string_set(&dptr->path,path); + dptr->path = SMB_STRDUP(path); + if (!dptr->path) { + bitmap_clear(sconn->searches.dptr_bmap, dptr->dnum - 1); + SAFE_FREE(dptr); + TALLOC_FREE(dir_hnd); + return NT_STATUS_NO_MEMORY; + } dptr->conn = conn; dptr->dir_hnd = dir_hnd; dptr->spid = spid; @@ -542,6 +548,7 @@ NTSTATUS dptr_create(connection_struct *conn, files_struct *fsp, dptr->wcard = SMB_STRDUP(wcard); if (!dptr->wcard) { bitmap_clear(sconn->searches.dptr_bmap, dptr->dnum - 1); + SAFE_FREE(dptr->path); SAFE_FREE(dptr); TALLOC_FREE(dir_hnd); return NT_STATUS_NO_MEMORY; -- 1.7.1 From 45ae54a6cd664e34a4dadee1edf42493f71427f3 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 9 Nov 2011 15:59:22 +0100 Subject: [PATCH 2/3] s3:smbd: fully construct the dptr before allocating a dnum in the bitmap metze --- source3/smbd/dir.c | 56 ++++++++++++++++++++++++++------------------------- 1 files changed, 29 insertions(+), 27 deletions(-) diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c index e6f431e..3430aab 100644 --- a/source3/smbd/dir.c +++ b/source3/smbd/dir.c @@ -470,6 +470,31 @@ NTSTATUS dptr_create(connection_struct *conn, files_struct *fsp, ZERO_STRUCTP(dptr); + dptr->path = SMB_STRDUP(path); + if (!dptr->path) { + SAFE_FREE(dptr); + TALLOC_FREE(dir_hnd); + return NT_STATUS_NO_MEMORY; + } + dptr->conn = conn; + dptr->dir_hnd = dir_hnd; + dptr->spid = spid; + dptr->expect_close = expect_close; + dptr->wcard = SMB_STRDUP(wcard); + if (!dptr->wcard) { + SAFE_FREE(dptr->path); + SAFE_FREE(dptr); + TALLOC_FREE(dir_hnd); + return NT_STATUS_NO_MEMORY; + } + if (lp_posix_pathnames() || (wcard[0] == '.' && wcard[1] == 0)) { + dptr->has_wild = True; + } else { + dptr->has_wild = wcard_has_wild; + } + + dptr->attr = attr; + if(old_handle) { /* @@ -493,6 +518,8 @@ NTSTATUS dptr_create(connection_struct *conn, files_struct *fsp, dptr->dnum = bitmap_find(sconn->searches.dptr_bmap, 0); if(dptr->dnum == -1 || dptr->dnum > 254) { DEBUG(0,("dptr_create: returned %d: Error - all old dirptrs in use ?\n", dptr->dnum)); + SAFE_FREE(dptr->path); + SAFE_FREE(dptr->wcard); SAFE_FREE(dptr); TALLOC_FREE(dir_hnd); return NT_STATUS_TOO_MANY_OPENED_FILES; @@ -523,6 +550,8 @@ NTSTATUS dptr_create(connection_struct *conn, files_struct *fsp, if(dptr->dnum == -1 || dptr->dnum < 255) { DEBUG(0,("dptr_create: returned %d: Error - all new dirptrs in use ?\n", dptr->dnum)); + SAFE_FREE(dptr->path); + SAFE_FREE(dptr->wcard); SAFE_FREE(dptr); TALLOC_FREE(dir_hnd); return NT_STATUS_TOO_MANY_OPENED_FILES; @@ -534,33 +563,6 @@ NTSTATUS dptr_create(connection_struct *conn, files_struct *fsp, dptr->dnum += 1; /* Always bias the dnum by one - no zero dnums allowed. */ - dptr->path = SMB_STRDUP(path); - if (!dptr->path) { - bitmap_clear(sconn->searches.dptr_bmap, dptr->dnum - 1); - SAFE_FREE(dptr); - TALLOC_FREE(dir_hnd); - return NT_STATUS_NO_MEMORY; - } - dptr->conn = conn; - dptr->dir_hnd = dir_hnd; - dptr->spid = spid; - dptr->expect_close = expect_close; - dptr->wcard = SMB_STRDUP(wcard); - if (!dptr->wcard) { - bitmap_clear(sconn->searches.dptr_bmap, dptr->dnum - 1); - SAFE_FREE(dptr->path); - SAFE_FREE(dptr); - TALLOC_FREE(dir_hnd); - return NT_STATUS_NO_MEMORY; - } - if (lp_posix_pathnames() || (wcard[0] == '.' && wcard[1] == 0)) { - dptr->has_wild = True; - } else { - dptr->has_wild = wcard_has_wild; - } - - dptr->attr = attr; - DLIST_ADD(sconn->searches.dirptrs, dptr); DEBUG(3,("creating new dirptr %d for path %s, expect_close = %d\n", -- 1.7.1 From da29de6b540ba8bf416a7beb7372f84a39878ef9 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 9 Nov 2011 16:04:09 +0100 Subject: [PATCH 3/3] s3:smbd: don't limit the number of open dptrs for smb2 (bug #8592) This fixes a crash bug that is triggered, when a client has more than 256 directory handles with searches. metze Autobuild-User: Stefan Metzmacher Autobuild-Date: Thu Nov 10 14:08:14 CET 2011 on sn-devel-104 --- source3/smbd/dir.c | 15 ++++++++++++--- 1 files changed, 12 insertions(+), 3 deletions(-) diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c index 3430aab..9108a80 100644 --- a/source3/smbd/dir.c +++ b/source3/smbd/dir.c @@ -260,6 +260,10 @@ static void dptr_close_internal(struct dptr_struct *dptr) goto done; } + if (sconn->using_smb2) { + goto done; + } + DLIST_REMOVE(sconn->searches.dirptrs, dptr); /* @@ -495,6 +499,10 @@ NTSTATUS dptr_create(connection_struct *conn, files_struct *fsp, dptr->attr = attr; + if (sconn->using_smb2) { + goto done; + } + if(old_handle) { /* @@ -565,6 +573,7 @@ NTSTATUS dptr_create(connection_struct *conn, files_struct *fsp, DLIST_ADD(sconn->searches.dirptrs, dptr); +done: DEBUG(3,("creating new dirptr %d for path %s, expect_close = %d\n", dptr->dnum,path,expect_close)); @@ -1336,7 +1345,7 @@ static int smb_Dir_destructor(struct smb_Dir *dirp) #endif SMB_VFS_CLOSEDIR(dirp->conn,dirp->dir); } - if (dirp->conn->sconn) { + if (dirp->conn->sconn && !dirp->conn->sconn->using_smb2) { dirp->conn->sconn->searches.dirhandles_open--; } return 0; @@ -1367,7 +1376,7 @@ struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn, goto fail; } - if (sconn) { + if (sconn && !sconn->using_smb2) { sconn->searches.dirhandles_open++; } talloc_set_destructor(dirp, smb_Dir_destructor); @@ -1411,7 +1420,7 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn, goto fail; } - if (sconn) { + if (sconn && !sconn->using_smb2) { sconn->searches.dirhandles_open++; } talloc_set_destructor(dirp, smb_Dir_destructor); -- 1.7.1