From: Youzhong Yang Sent: Thursday, February 09, 2017 9:55 AM To: samba-technical@lists.samba.org Subject: smbd enters infinite loop when trying to open an invalid symlink with O_CREAT Reproduction is simple: - On the server, create a symbolic link pointing to a nonexistent file - Use the following program on Windows to open the symlink: #include <stdio.h> #include <tchar.h> #include <windows.h> int _tmain(int argc, _TCHAR* argv[]) { HANDLE h; h = CreateFile(argv[1], GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, 0, NULL); printf("hit <cr>\n"); getchar(); CloseHandle(h); return 0; } I believe fd_open_atomic() needs to handle the symlink case specifically. Please advise. Thanks, --Youzhong
Found and fixed the bug. Patch to follow. We'll also need a regression test case for this (also to follow). Jeremy.
Marking private until we decide if this is a security issue or not.
Created attachment 12925 [details] git-am fix for master Not complete - needs regression test case but I wanted to keep a record of the fix here.
Created attachment 12928 [details] Correct patch for master Includes regression test.
Opening back up, not a security bug I don't think.
Created attachment 12929 [details] Better comment and commit message.
Created attachment 12942 [details] Patch submitted to samba-technical
Created attachment 12946 [details] Pair programmed with Ralph.
Comment on attachment 12946 [details] Pair programmed with Ralph. Perfect!
Created attachment 12948 [details] git-am fix for 4.6.next, 4.5.next. Cherry-pick from master.
Created attachment 12949 [details] git-am fix for 4.4.next Cherry-pick from master. Doesn't include regression test (doesn't apply cleanly, not worth back-porting from master to 4.4.next only).
Reassigning to Karolin for inclusion in 4.4, 4.5 and 4.6.
(In reply to Ralph Böhme from comment #12) Pushed to autobuild-v4-{6,5,4}-test.
(In reply to Karolin Seeger from comment #13) Pushed to all branches. Closing out bug report. Thanks!
Hi The issue got CVE-2017-9461 assigned. Although probably minor, is there a reason it was not considered as security bug per se? According to downstream report at https://bugs.debian.org/864291 it could be used for a denial of service (high cpu usage, memory exhaustion).
(In reply to Salvatore Bonaccorso from comment #15) Just seemed too minor to log as a security fix. Just IMHO.