1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

smbd: fix pathref unlinking in create_file_unixpath()

This is really subtle. If someone passes in an smb_fname where smb_fname
actually is taken from fsp->fsp_name, then the lifetime of these objects is
meant to be the same.

This is commonly the case from an SMB1 path-based call
(eg call_trans2qfilepathinfo()) where we use the pathref fsp
(smb_fname->fsp) as the handle. In this case we must not unlink smb_fname->fsp
from it's owner.

The asserts below:

  SMB_ASSERT(fsp->fsp_name->fsp != NULL);
  SMB_ASSERT(fsp->fsp_name->fsp == fsp);

ensure the required invarients are met.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14732

Pair-Programmed-With: Ralph Boehme <slow@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Jun  8 20:44:41 UTC 2021 on sn-devel-184
This commit is contained in:
Jeremy Allison 2021-06-08 18:53:18 +02:00 committed by Ralph Boehme
parent 7645aca4d0
commit 8a427783e5

View File

@ -5835,13 +5835,39 @@ static NTSTATUS create_file_unixpath(connection_struct *conn,
* request to create a file that doesn't exist.
*/
if (smb_fname->fsp != NULL) {
fsp = smb_fname->fsp;
bool need_fsp_unlink = true;
/*
* Unlink the fsp from the smb_fname so the fsp is not
* autoclosed by the smb_fname pathref fsp talloc destructor.
* This is really subtle. If someone passes in an smb_fname
* where smb_fname actually is taken from fsp->fsp_name, then
* the lifetime of these objects is meant to be the same.
*
* This is commonly the case from an SMB1 path-based call,
* (call_trans2qfilepathinfo) where we use the pathref fsp
* (smb_fname->fsp) as the handle. In this case we must not
* unlink smb_fname->fsp from it's owner.
*
* The asserts below:
*
* SMB_ASSERT(fsp->fsp_name->fsp != NULL);
* SMB_ASSERT(fsp->fsp_name->fsp == fsp);
*
* ensure the required invarients are met.
*/
smb_fname_fsp_unlink(smb_fname);
if (smb_fname->fsp->fsp_name == smb_fname) {
need_fsp_unlink = false;
}
fsp = smb_fname->fsp;
if (need_fsp_unlink) {
/*
* Unlink the fsp from the smb_fname so the fsp is not
* autoclosed by the smb_fname pathref fsp talloc
* destructor.
*/
smb_fname_fsp_unlink(smb_fname);
}
status = fsp_bind_smb(fsp, req);
if (!NT_STATUS_IS_OK(status)) {
@ -5871,6 +5897,9 @@ static NTSTATUS create_file_unixpath(connection_struct *conn,
}
}
SMB_ASSERT(fsp->fsp_name->fsp != NULL);
SMB_ASSERT(fsp->fsp_name->fsp == fsp);
if (base_fsp) {
/*
* We're opening the stream element of a