sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-24 02:04:21 +03:00
Code

CVE-2023-34968: mdssvc: cache and reuse stat info in struct sl_inode_path_map

Browse Source 
Prepare for the "path" being a fake path and not the real server-side
path where we won't be able to vfs_stat_fsp() this fake path. Luckily we already
got stat info for the object in mds_add_result() so we can just pass stat info
from there.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Ralph Boehme 2023-06-06 15:17:26 +02:00 committed by Jule Anger
parent f4aa214712
commit 3815bb8a70
2 changed files with 8 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
source3/rpc_server/mdssvc/mdssvc.c
View File

@ -446,7 +446,10 @@ static int ino_path_map_destr_cb(struct sl_inode_path_map *entry)
* entries by calling talloc_free() on the query slq handles.
**/
static bool inode_map_add(struct sl_query *slq, uint64_t ino, const char *path)
static bool inode_map_add(struct sl_query *slq,
uint64_t ino,
const char *path,
struct stat_ex *st)
{
NTSTATUS status;
struct sl_inode_path_map *entry;
@ -493,6 +496,7 @@ static bool inode_map_add(struct sl_query *slq, uint64_t ino, const char *path)
entry->ino = ino;
entry->mds_ctx = slq->mds_ctx;
entry->st = *st;
entry->path = talloc_strdup(entry, path);
if (entry->path == NULL) {
DEBUG(1, ("talloc failed\n"));
@ -617,7 +621,7 @@ bool mds_add_result(struct sl_query *slq, const char *path)
return false;
}
ok = inode_map_add(slq, ino64, path);
ok = inode_map_add(slq, ino64, path, &sb);
if (!ok) {
DEBUG(1, ("inode_map_add error\n"));
slq->state = SLQ_STATE_ERROR;
@ -1340,29 +1344,7 @@ static bool slrpc_fetch_attributes(struct mds_ctx *mds_ctx,
elem = talloc_get_type_abort(p, struct sl_inode_path_map);
path = elem->path;
status = synthetic_pathref(talloc_tos(),
mds_ctx->conn->cwd_fsp,
path,
NULL,
NULL,
0,
0,
&smb_fname);
if (!NT_STATUS_IS_OK(status)) {
/* This is not an error, the user may lack permissions */
DBG_DEBUG("synthetic_pathref [%s]: %s\n",
smb_fname_str_dbg(smb_fname),
nt_errstr(status));
return true;
}
status = vfs_stat_fsp(smb_fname->fsp);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(smb_fname);
return true;
}
sp = &smb_fname->fsp->fsp_name->st;
sp = &elem->st;
}
ok = add_filemeta(mds_ctx, reqinfo, fm_array, path, sp);

1
source3/rpc_server/mdssvc/mdssvc.h
View File

@ -105,6 +105,7 @@ struct sl_inode_path_map {
struct mds_ctx *mds_ctx;
uint64_t ino;
char *path;
struct stat_ex st;
};
/* Per process state */