Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 146985 Details for
Bug 225513
CVE-2007-0452 Samba smbd denial of service
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Proposed upstream patch
smbd_deferred_open_v2.patch (text/plain), 5.87 KB, created by
Josh Bressers
on 2007-01-31 00:33:48 UTC
(
hide
)
Description:
Proposed upstream patch
Filename:
MIME Type:
Creator:
Josh Bressers
Created:
2007-01-31 00:33:48 UTC
Size:
5.87 KB
patch
obsolete
>diff -urN samba-3.0.23d/source/printing/nt_printing.c samba/source/printing/nt_printing.c >--- samba-3.0.23d/source/printing/nt_printing.c 2006-07-10 11:27:50.000000000 -0500 >+++ samba/source/printing/nt_printing.c 2007-01-30 15:00:45.000000000 -0600 >@@ -4839,7 +4839,7 @@ > pstrcpy( file, s ); > driver_unix_convert(file, conn, NULL, &bad_path, &st); > DEBUG(10,("deleting driverfile [%s]\n", s)); >- unlink_internals(conn, 0, file, False); >+ unlink_internals(conn, 0, file, False, False); > } > } > >@@ -4848,7 +4848,7 @@ > pstrcpy( file, s ); > driver_unix_convert(file, conn, NULL, &bad_path, &st); > DEBUG(10,("deleting configfile [%s]\n", s)); >- unlink_internals(conn, 0, file, False); >+ unlink_internals(conn, 0, file, False, False); > } > } > >@@ -4857,7 +4857,7 @@ > pstrcpy( file, s ); > driver_unix_convert(file, conn, NULL, &bad_path, &st); > DEBUG(10,("deleting datafile [%s]\n", s)); >- unlink_internals(conn, 0, file, False); >+ unlink_internals(conn, 0, file, False, False); > } > } > >@@ -4866,7 +4866,7 @@ > pstrcpy( file, s ); > driver_unix_convert(file, conn, NULL, &bad_path, &st); > DEBUG(10,("deleting helpfile [%s]\n", s)); >- unlink_internals(conn, 0, file, False); >+ unlink_internals(conn, 0, file, False, False); > } > } > >@@ -4882,7 +4882,7 @@ > pstrcpy( file, p ); > driver_unix_convert(file, conn, NULL, &bad_path, &st); > DEBUG(10,("deleting dependent file [%s]\n", file)); >- unlink_internals(conn, 0, file, False); >+ unlink_internals(conn, 0, file, False, False); > } > > i++; >diff -urN samba-3.0.23d/source/smbd/nttrans.c samba/source/smbd/nttrans.c >--- samba-3.0.23d/source/smbd/nttrans.c 2006-06-23 08:16:49.000000000 -0500 >+++ samba/source/smbd/nttrans.c 2007-01-30 15:00:45.000000000 -0600 >@@ -664,7 +664,7 @@ > if (lp_acl_check_permissions(SNUM(conn)) && (share_access & FILE_SHARE_DELETE) > && (access_mask & DELETE_ACCESS)) { > #endif >- status = can_delete(conn, fname, file_attributes, bad_path, True); >+ status = can_delete(conn, fname, file_attributes, bad_path, True, False); > /* We're only going to fail here if it's access denied, as that's the > only error we care about for "can we delete this ?" questions. */ > if (!NT_STATUS_IS_OK(status) && (NT_STATUS_EQUAL(status,NT_STATUS_ACCESS_DENIED) || >@@ -1281,7 +1281,7 @@ > /* Setting FILE_SHARE_DELETE is the hint. */ > if (lp_acl_check_permissions(SNUM(conn)) && (share_access & FILE_SHARE_DELETE) && (access_mask & DELETE_ACCESS)) { > #endif >- status = can_delete(conn, fname, file_attributes, bad_path, True); >+ status = can_delete(conn, fname, file_attributes, bad_path, True, False); > /* We're only going to fail here if it's access denied, as that's the > only error we care about for "can we delete this ?" questions. */ > if (!NT_STATUS_IS_OK(status) && (NT_STATUS_EQUAL(status,NT_STATUS_ACCESS_DENIED) || >@@ -1888,8 +1888,14 @@ > > status = rename_internals(conn, fsp->fsp_name, > new_name, 0, replace_if_exists, path_contains_wcard); >- if (!NT_STATUS_IS_OK(status)) >+ >+ if (!NT_STATUS_IS_OK(status)) { >+ if (open_was_deferred(SVAL(inbuf,smb_mid))) { >+ /* We have re-scheduled this call. */ >+ return -1; >+ } > return ERROR_NT(status); >+ } > > /* > * Rename was successful. >diff -urN samba-3.0.23d/source/smbd/reply.c samba/source/smbd/reply.c >--- samba-3.0.23d/source/smbd/reply.c 2006-06-23 08:16:49.000000000 -0500 >+++ samba/source/smbd/reply.c 2007-01-30 15:00:45.000000000 -0600 >@@ -1865,7 +1865,7 @@ > Check if a user is allowed to delete a file. > ********************************************************************/ > >-NTSTATUS can_delete(connection_struct *conn, char *fname, uint32 dirtype, BOOL bad_path, BOOL check_is_at_open) >+NTSTATUS can_delete(connection_struct *conn, char *fname, uint32 dirtype, BOOL bad_path, BOOL check_is_at_open, BOOL can_defer) > { > SMB_STRUCT_STAT sbuf; > uint32 fattr; >@@ -1938,7 +1938,7 @@ > FILE_OPEN, > 0, > FILE_ATTRIBUTE_NORMAL, >- 0, >+ can_defer ? 0 : INTERNAL_OPEN_ONLY, > NULL); > > if (!fsp) { >@@ -1960,7 +1960,7 @@ > code. > ****************************************************************************/ > >-NTSTATUS unlink_internals(connection_struct *conn, uint32 dirtype, char *name, BOOL has_wild) >+NTSTATUS unlink_internals(connection_struct *conn, uint32 dirtype, char *name, BOOL has_wild, BOOL can_defer) > { > pstring directory; > pstring mask; >@@ -2000,7 +2000,7 @@ > if (!has_wild) { > pstrcat(directory,"/"); > pstrcat(directory,mask); >- error = can_delete(conn,directory,dirtype,bad_path,False); >+ error = can_delete(conn,directory,dirtype,bad_path,False,can_defer); > if (!NT_STATUS_IS_OK(error)) > return error; > >@@ -2058,7 +2058,7 @@ > } > > slprintf(fname,sizeof(fname)-1, "%s/%s",directory,dname); >- error = can_delete(conn,fname,dirtype,bad_path,False); >+ error = can_delete(conn,fname,dirtype,bad_path,False,False); > if (!NT_STATUS_IS_OK(error)) { > continue; > } >@@ -2104,7 +2104,7 @@ > > DEBUG(3,("reply_unlink : %s\n",name)); > >- status = unlink_internals(conn, dirtype, name, path_contains_wcard); >+ status = unlink_internals(conn, dirtype, name, path_contains_wcard, True); > if (!NT_STATUS_IS_OK(status)) { > if (open_was_deferred(SVAL(inbuf,smb_mid))) { > /* We have re-scheduled this call. */ >diff -urN samba-3.0.23d/source/smbd/trans2.c samba/source/smbd/trans2.c >--- samba-3.0.23d/source/smbd/trans2.c 2006-11-14 08:42:12.000000000 -0600 >+++ samba/source/smbd/trans2.c 2007-01-30 15:00:35.000000000 -0600 >@@ -4446,9 +4446,15 @@ > fname, newname )); > status = rename_internals(conn, fname, base_name, 0, overwrite, False); > } >+ > if (!NT_STATUS_IS_OK(status)) { >+ if (open_was_deferred(SVAL(inbuf,smb_mid))) { >+ /* We have re-scheduled this call. */ >+ return -1; >+ } > return ERROR_NT(status); > } >+ > process_pending_change_notify_queue((time_t)0); > SSVAL(params,0,0); > send_trans2_replies(outbuf, bufsize, params, 2, *ppdata, 0);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=146985">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 225513
: 146985