sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-25 06:04:04 +03:00
Code
samba-mirror/source3/smbd
History
Stefan Metzmacher e0bf930f23 s3:smb2_notify: fix use after free on long living notify requests 
This is a hack, but it should fix the bug:

   change_notify_add_request() talloc moves smb_request away,
   which is not expected by the smb2_notify.c code...

   smbd_smb2_notify_reply() uses tevent_req_defer_callback()
   (in older versions an immediate event) to defer the response.
   This is needed as change_notify_reply() will do more things
   after calling reply_fn() (smbd_smb2_notify_reply is this case)
   and often change_notify_remove_request() is called after
   change_notify_reply().

   change_notify_remove_request() implicitly free's the smb_request
   that was passed to change_notify_add_request().

   smbd_smb2_fake_smb_request() added the smb_request as smb2req->smb1req,
   which is expected to be available after smbd_smb2_notify_recv() returned.

The long term solution would be the following interface:

struct tevent_req *change_notify_request_send(TALLOC_CTX *mem_ctx,
                                              struct tevent_context *ev,
                                              struct files_struct *fsp,
                                              uint32_t max_length,
                                              uint32_t filter,
                                              bool recursive);
NTSTATUS change_notify_request_recv(struct tevent_req *req,
                                    TALLOC_CTX *mem_ctx,
                                    DATA_BLOB *buffer);

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10442

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Feb 14 11:18:15 CET 2014 on sn-devel-104
2014-02-14 11:18:15 +01:00
..
aio.c
param: rename lp function and variable from "syncalways" to "sync_always"
2014-02-07 16:19:16 -08:00
avahi_register.c
s3-param Remove special case for global_myname(), rename to lp_netbios_name()
2011-06-09 12:40:09 +02:00
blocking.c
smbd: Fix blank line endings
2013-09-11 08:27:10 +02:00
close.c
param: rename lp function and variable from "magicscript" to "magic_script"
2014-02-07 16:19:13 -08:00
conn_idle.c
Fix bug #9733 - smbcontrol close-share is not working.
2013-03-22 20:10:11 +01:00
conn_msg.c
s3:smbd/conn_msg: use talloc_get_type_abort() as private_data can't be NULL
2011-12-14 12:00:07 +01:00
conn.c
Add uint32_t share_access to vuid_cache_entry.
2013-01-09 15:28:48 +11:00
connection.c
s3:smbd: remove unused claim_connection/yield_connection
2012-10-19 12:15:03 +02:00
dfree.c
param: rename lp function and variable from "maxdisksize" to "max_disk_size"
2014-02-07 16:19:16 -08:00
dir.c
param: rename lp function and variable from "hideunwriteable_files" to "hide_unwriteable_files"
2014-02-07 16:19:11 -08:00
dmapi.c
s3-talloc Change TALLOC_REALLOC_ARRAY() to talloc_realloc()
2011-06-09 12:40:08 +02:00
dnsregister.c
s3: include smbd/smbd.h where needed.
2011-03-30 01:13:08 +02:00
dosmode.c
param: rename lp function and variable from "inherit_perms" to "inherit_permissions"
2014-02-07 16:19:15 -08:00
durable.c
smbd:smb2: fix durable reconnect: set fsp->fnum from the smbXsrv_open->local_id
2014-01-30 16:57:06 +01:00
error.c
s3-smbd: Avoid starting log lines with the word 'error'
2012-02-16 15:21:11 +11:00
fake_file.c
Add 'bool use_privs' to smbd_calculate_access_mask().
2012-09-15 00:37:49 +02:00
file_access.c
smbd: Convert can_delete_file_in_directory to synthetic_smb_fname
2013-04-17 14:50:01 -07:00
fileio.c
param: rename lp function and variable from "syncalways" to "sync_always"
2014-02-07 16:19:16 -08:00
filename.c
param: rename lp function and variable from "symlinks" to "follow_symlinks"
2014-02-07 16:19:13 -08:00
files.c
s3:smbd: use PATH_MAX for the buffer passed to full_path_tos()
2013-12-14 16:24:34 +01:00
globals.c
s3:smbd: move initialization of the smbd_shim from smbd_init_globals() to main()
2012-10-19 12:14:58 +02:00
globals.h
s3:smb2_server: avoid calling set_current_user_info() for each request
2013-11-27 16:31:44 +01:00
ipc.c
s3:smbd: make use of smbXsrv_tcon for smb1
2012-06-25 20:55:06 +02:00
lanman.c
param: change fstype to use a constant string
2014-02-12 13:17:14 +13:00
mangle_hash2.c
Fix is_legal_name() to not emit character conversion error messages.
2013-09-11 16:38:43 -07:00
mangle_hash.c
param: rename lp function and variable from 'magicchar' to 'mangling_char'
2014-02-07 16:19:10 -08:00
mangle.c
param: rename lp function and variable from 'defaultcase' to 'default_case'
2014-02-07 16:19:10 -08:00
message.c
param: rename lp function and variable from "msg_command" to "message_command"
2014-02-07 16:19:13 -08:00
msdfs.c
loadparm: rename lp[cfg]_pathname to lp[cfg]_path for consistency with docs
2014-02-03 13:26:13 +13:00
negprot.c
lib/param: Normalise "read raw" and "write raw" parameters
2014-02-12 13:17:13 +13:00
notify_inotify.c
Fix memory leak in error code path.
2013-07-18 03:22:37 +02:00
notify_internal.c
dbwrap: add a dbwrap_flags argument to db_open_tdb()
2014-02-07 16:06:07 +01:00
notify.c
s3:smbd: use PATH_MAX for the buffer passed to full_path_tos()
2013-12-14 16:24:34 +01:00
ntquotas.c
lib/util: Remove dummy wrappers for setpwent/getpwent/endpwent.
2012-03-24 15:23:02 +01:00
nttrans.c
smbd: Always use UCF_PREP_CREATEFILE for filename_convert calls to resolve a path for open.
2013-12-09 21:02:21 +01:00
open.c
param: rename lp function and variable from "inherit_perms" to "inherit_permissions"
2014-02-07 16:19:15 -08:00
oplock_irix.c
param: rename lp function and variable from 'lockdir' to 'lock_directory'
2014-02-07 16:19:10 -08:00
oplock_linux.c
Wrap setting leases in become_root()/unbecome_root() to ensure correct delivery of signals.
2013-07-31 17:07:58 -07:00
oplock.c
Rename the profile enums with a SAMBA_ prefix to avoid conflict with system files.
2013-11-22 08:56:38 -08:00
password.c
loadparm: rename lp[cfg]_pathname to lp[cfg]_path for consistency with docs
2014-02-03 13:26:13 +13:00
perfcount.c
loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *.
2012-07-18 15:07:23 +09:30
pipes.c
s3-rpc_server: Pass the server event context to np_open().
2013-10-29 16:27:18 +01:00
posix_acls.c
Fix bug 10196 - RW Deny for a specific user is not overriding RW Allow for a group.
2013-10-24 14:20:04 +02:00
process.c
param: rename lp function and variable from "rootdir" to "root_directory"
2014-02-07 16:19:16 -08:00
proto.h
smbd: Implement and use full_path_tos
2013-12-14 11:21:32 +01:00
pysmbd.c
pysmbd: improve the return of error codes in the python smbd bindings
2014-02-05 08:42:25 +01:00
quotas.c
quota: move function again to its belonging ifdef block
2012-09-11 04:44:28 +02:00
reply.c
param: change fstype to use a constant string
2014-02-12 13:17:14 +13:00
scavenger.c
s3:smbd:smb2:scavenger: fix format error for debugging open_persistent_id in scavenger_timer()
2013-04-19 01:36:15 +02:00
scavenger.h
s3:smbd: add a scavenger process for disconnected durable handles
2013-04-18 13:15:13 +02:00
seal.c
libcli/smb: Convert struct smb_trans_enc_state to talloc
2012-01-31 20:17:10 +01:00
sec_ctx.c
Fix bug #9329 - Directory listing with SeBackup can crash smbd.
2012-10-29 16:26:20 +01:00
server_exit.c
param: rename lp function and variable from 'piddir' to 'pid_directory'
2014-02-07 16:19:11 -08:00
server_reload.c
param: No longer have a special case for lp_configfile
2014-02-12 13:17:13 +13:00
server.c
cmdline: Remove dynconfig hooks in command line processing
2014-02-12 16:42:14 +01:00
service.c
param: change fstype to use a constant string
2014-02-12 13:17:14 +13:00
session.c
s3:smbd/session: Added a routine find_sessions()
2013-09-10 11:32:46 -07:00
sesssetup.c
s3: set native os according to Windows and NBT_ANNOUNCE_VERSION defines
2014-01-14 16:48:30 -08:00
share_access.c
param: rename lp function and variable from "writelist" to "write_list"
2014-02-07 16:19:16 -08:00
signing.c
lib/param: Consolidate code to enable smb signing on the server, always enable on AD DC
2013-11-22 13:13:03 +01:00
smb2_break.c
smbd: Remove unused reply_to_oplock_break_requests
2013-04-26 15:17:22 -07:00
smb2_close.c
s3:smbd/smb2 fix compiler warnings
2013-12-12 14:21:27 -08:00
smb2_create.c
smbd: Always use UCF_PREP_CREATEFILE for filename_convert calls to resolve a path for open.
2013-12-09 21:02:21 +01:00
smb2_find.c
param: rename lp function and variable from 'dontdescend' to 'dont_descend'
2014-02-07 16:19:09 -08:00
smb2_flush.c
s3:smb2_flush: make use of SMBD_SMB2_IN_BODY_PTR()
2012-08-05 20:55:35 +02:00
smb2_getinfo.c
smbd: Revert a93f9c3
2013-08-28 23:37:08 +02:00
smb2_glue.c
Add function smbd_smb2_unread_bytes().
2013-04-19 14:10:51 -07:00
smb2_ioctl_dfs.c
smb2_ioctl: split ioctl handler code on device type
2013-01-16 23:15:06 +01:00
smb2_ioctl_filesys.c
smb2/ioctl: add support for FSCTL_[GET/SET]_COMPRESSION
2013-11-22 08:56:45 -08:00
smb2_ioctl_named_pipe.c
smbd: Fix CID 1035550 Structurally dead code
2013-08-12 17:25:54 +12:00
smb2_ioctl_network_fs.c
smbd: Fix memory overwrites
2014-02-07 20:07:23 +01:00
smb2_ioctl_private.h
smb2_ioctl: split ioctl handler code on device type
2013-01-16 23:15:06 +01:00
smb2_ioctl.c
smb2_ioctl: remove ioctl error response assumptions
2013-01-16 23:15:07 +01:00
smb2_keepalive.c
s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_keepalive.c
2011-09-07 10:38:06 +02:00
smb2_lock.c
smbd: Fix a panic when a smb2 brlock times out
2013-12-05 21:21:35 +01:00
smb2_negprot.c
param: rename lp function and variable from "srv_minprotocol" to "server_min_protocol"
2014-02-07 16:19:15 -08:00
smb2_notify.c
s3:smb2_notify: fix use after free on long living notify requests
2014-02-14 11:18:15 +01:00
smb2_read.c
s3: Return correct error code from SMB2 AIO read failure
2013-12-05 18:22:16 -08:00
smb2_server.c
smbd: Fix CID 1138328 Logically dead code
2013-12-17 01:57:13 +01:00
smb2_sesssetup.c
s3:smbd/smb2 fix compiler warnings
2013-12-12 14:21:27 -08:00
smb2_setinfo.c
Rename set_sd() to set_sd_blob() - this describes what it does.
2012-08-30 10:08:50 -07:00
smb2_tcon.c
param: rename lp function and variable from "hideunwriteable_files" to "hide_unwriteable_files"
2014-02-07 16:19:11 -08:00
smb2_write.c
s3:smbd: remove struct member smbd_smb2_request.cancelled - it was only written
2012-09-22 10:19:00 +02:00
smbd.h
smbd: change flag name from UCF_CREATING_FILE to UCF_PREP_CREATEFILE
2013-12-09 09:48:48 -08:00
smbXsrv_open.c
smbXsrv_open.c: Initialize local variable.
2014-02-12 23:57:05 +01:00
smbXsrv_session.c
dbwrap: add a dbwrap_flags argument to db_open()
2014-02-07 16:06:06 +01:00
smbXsrv_tcon.c
dbwrap: add a dbwrap_flags argument to db_open()
2014-02-07 16:06:06 +01:00
smbXsrv_version.c
dbwrap: add a dbwrap_flags argument to db_open()
2014-02-07 16:06:06 +01:00
srvstr.c
s3-talloc Change TALLOC_REALLOC_ARRAY() to talloc_realloc()
2011-06-09 12:40:08 +02:00
statcache.c
Second part of fix for bug #8541 - readlink() on Linux clients fails if the symlink target is outside of the share.
2011-10-22 04:57:10 +02:00
statvfs.c
s3: evaluate MNT_QUOTA and MNT_RDONLY in statvfs also on darwin
2012-07-05 22:00:52 +02:00
trans2.c
param: change fstype to use a constant string
2014-02-12 13:17:14 +13:00
uid.c
param: rename lp function and variable from 'guestaccount' to 'guest_account'
2014-02-07 16:19:10 -08:00
utmp.c
param: rename lp function and variable from 'wtmpdir' to 'wtmp_directory'
2014-02-07 16:19:11 -08:00
vfs.c
param: rename lp function and variable from "symlinks" to "follow_symlinks"
2014-02-07 16:19:13 -08:00