Date: Sat, 23 Apr 2005 18:14:29 +0200 (CEST) From: Andre Albsmeier <andre.albsmeier@siemens.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/80288: [PATCH] samba: processing of symlinks broken Message-ID: <200504231614.j3NGETLT027055@curry.mchp.siemens.de> Resent-Message-ID: <200504231620.j3NGKIoS071828@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 80288
>Category: ports
>Synopsis: [PATCH] samba: processing of symlinks broken
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Apr 23 16:20:17 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Andre Albsmeier
>Release: FreeBSD 4.11-STABLE i386
>Organization:
>Environment:
FreeBSD 4.11-STABLE with samba from ports.
A Winblows system which tries to access symlinks from a share.
>Description:
There are two serious bugs in the code which processes symlinks
in smbd:
1.) The programmer assumed that readlink() would NUL-terminate
the result (flink). This is fixed with the first part of the
patch.
2.) In case of a relative symlink, the destination (cleanlink) is
constructed by concatenating realdir with the link. This is
wrong, it should be dirname(name) + the link. The second part
of the patch fixes that.
>How-To-Repeat:
Raise debuglevel to 3 and access symlinks from Winblows. Watch
the messed up filenames due to 1.).
Fix 1.) and try to access relative symlinks from Winblows. These
links must not reside on the toplevel of the share. Watch the
wrongly constructed filnames.
>Fix:
--- source/smbd/vfs.c.ORI Wed Sep 29 19:37:44 2004
+++ source/smbd/vfs.c Fri Apr 22 21:11:57 2005
@@ -717,6 +717,7 @@
pstring savedir;
pstring realdir;
size_t reallen;
+ int linklen;
if (!vfs_GetWd(conn, savedir)) {
DEBUG(0,("couldn't vfs_GetWd for %s %s\n", name, dir));
@@ -740,12 +741,16 @@
realdir[reallen] = 0;
}
- if (conn->vfs_ops.readlink(conn, name, flink, sizeof(pstring) -1) != -1) {
+ if( (linklen = conn->vfs_ops.readlink(conn, name, flink, sizeof(pstring) -1)) != -1 ) {
+ flink[linklen] = '\0';
DEBUG(3,("reduce_name: file path name %s is a symlink\nChecking it's path\n", name));
if (*flink == '/') {
pstrcpy(cleanlink, flink);
} else {
- pstrcpy(cleanlink, realdir);
+ char* cp;
+ pstrcpy( cleanlink, name );
+ if( (cp = strrchr( cleanlink, '/' )) != NULL )
+ *cp = '\0';
pstrcat(cleanlink, "/");
pstrcat(cleanlink, flink);
}
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200504231614.j3NGETLT027055>