Bug 11878 - Large reads beyond EOF can end up using sendfile erroneously
Summary: Large reads beyond EOF can end up using sendfile erroneously
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-04-27 20:19 UTC by Jeremy Allison
Modified: 2016-04-29 09:04 UTC (History)
2 users (show)

See Also:


Attachments
git-am fix for 4.4.next, 4.3.next. (1.43 KB, patch)
2016-04-28 01:45 UTC, Jeremy Allison
vl: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2016-04-27 20:19:04 UTC
Reported by Volker with a patch.

From a5c7f0997e53ae300511b9aec549f07b34280d3b Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Wed, 27 Apr 2016 12:15:37 +0200
Subject: [PATCH] smbd: Avoid large reads beyond EOF

With unix extensions and oplocks=no mount.cifs from jessie reads beyond the
file end forever, and we are happy to return zeros....

Signed-off-by: Volker Lendecke <vl@samba.org>
---
 source3/smbd/reply.c |   10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index cbe15a3..e0e55c6 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -4100,6 +4100,16 @@ normal_read:
                uint8_t headerbuf[smb_size + 2*12 + 1 /* padding byte */];
                ssize_t ret;

+               if (!S_ISREG(fsp->fsp_name->st.st_ex_mode) ||
+                   (startpos > fsp->fsp_name->st.st_ex_size) ||
+                   (smb_maxcnt > (fsp->fsp_name->st.st_ex_size - startpos))) {
+                       /*
+                        * We already know that we would do a short
+                        * read, so don't try the sendfile() path.
+                        */
+                       goto nosendfile_read;
+               }
+
                construct_reply_common_req(req, (char *)headerbuf);
                setup_readX_header(req, (char *)headerbuf, smb_maxcnt);

Cherry-picked patch to follow once pushed to master.
Comment 1 Jeremy Allison 2016-04-28 01:45:58 UTC
Created attachment 12033 [details]
git-am fix for 4.4.next, 4.3.next.

Cherry-pick from fix that went into master.
Comment 2 Karolin Seeger 2016-04-28 10:59:45 UTC
(In reply to Jeremy Allison from comment #1)
Pushed to autobuild-v4-[4|3]-test
Comment 3 Karolin Seeger 2016-04-29 09:04:28 UTC
(In reply to Karolin Seeger from comment #2)
Pushed to both branches.
Closing out bug report.

Thanks!