From owner-freebsd-ports-bugs@FreeBSD.ORG  Sat Apr 23 16:20:18 2005
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E733916A4CE
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Sat, 23 Apr 2005 16:20:18 +0000 (GMT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 57FD943D48
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Sat, 23 Apr 2005 16:20:18 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j3NGKIC5071829
	for <freebsd-ports-bugs@freefall.freebsd.org>;
	Sat, 23 Apr 2005 16:20:18 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j3NGKIoS071828;
	Sat, 23 Apr 2005 16:20:18 GMT
	(envelope-from gnats)
Resent-Date: Sat, 23 Apr 2005 16:20:18 GMT
Resent-Message-Id: <200504231620.j3NGKIoS071828@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Andre Albsmeier <andre.albsmeier@siemens.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 22EAA16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sat, 23 Apr 2005 16:14:32 +0000 (GMT)
Received: from david.siemens.de (david.siemens.de [192.35.17.14])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0C3BC43D31
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sat, 23 Apr 2005 16:14:31 +0000 (GMT)
	(envelope-from andre.albsmeier@siemens.com)
Received: from mail1.siemens.de (mail1.siemens.de [139.23.33.14])
	by david.siemens.de (8.12.6/8.12.6) with ESMTP id j3NGETEs009366
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sat, 23 Apr 2005 18:14:29 +0200
Received: from mars.cert.siemens.com (mars.cert.siemens.com [139.25.19.9])
	by mail1.siemens.de (8.12.6/8.12.6) with ESMTP id j3NGETxw017843
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sat, 23 Apr 2005 18:14:29 +0200
Received: from curry.mchp.siemens.de (curry.mchp.siemens.de [139.25.42.7])
	mail/cert.mc.pre,v 1.66 2005/02/14 15:55:03 mailadm Exp $) with ESMTP
	id j3NGETeX066899	for <FreeBSD-gnats-submit@freebsd.org>;
	Sat, 23 Apr 2005 18:14:29 +0200 (CEST)
	(envelope-from andre@curry.mchp.siemens.de)
Received: (from localhost)
	by curry.mchp.siemens.de (8.13.3/8.13.3) id j3NGET3e023408
	for FreeBSD-gnats-submit@freebsd.org;
	Sat, 23 Apr 2005 18:14:29 +0200 (CEST)
Message-Id: <200504231614.j3NGETLT027055@curry.mchp.siemens.de>
Date: Sat, 23 Apr 2005 18:14:29 +0200 (CEST)
From: Andre Albsmeier <andre.albsmeier@siemens.com>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: ports/80288: [PATCH] samba: processing of symlinks broken
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>,
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>,
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Apr 2005 16:20:19 -0000


>Number:         80288
>Category:       ports
>Synopsis:       [PATCH] samba: processing of symlinks broken
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Apr 23 16:20:17 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Andre Albsmeier
>Release:        FreeBSD 4.11-STABLE i386
>Organization:
>Environment:

FreeBSD 4.11-STABLE with samba from ports.
A Winblows system which tries to access symlinks from a share.

>Description:

There are two serious bugs in the code which processes symlinks
in smbd:

1.) The programmer assumed that readlink() would NUL-terminate
    the result (flink). This is fixed with the first part of the
    patch.

2.) In case of a relative symlink, the destination (cleanlink) is
    constructed by concatenating realdir with the link. This is
    wrong, it should be dirname(name) + the link. The second part
    of the patch fixes that.


>How-To-Repeat:

Raise debuglevel to 3 and access symlinks from Winblows. Watch
the messed up filenames due to 1.).
Fix 1.) and try to access relative symlinks from Winblows. These
links must not reside on the toplevel of the share. Watch the
wrongly constructed filnames.


>Fix:

--- source/smbd/vfs.c.ORI	Wed Sep 29 19:37:44 2004
+++ source/smbd/vfs.c	Fri Apr 22 21:11:57 2005
@@ -717,6 +717,7 @@
 	pstring savedir;
 	pstring realdir;
 	size_t reallen;
+	int linklen;
 
 	if (!vfs_GetWd(conn, savedir)) {
 		DEBUG(0,("couldn't vfs_GetWd for %s %s\n", name, dir));
@@ -740,12 +741,16 @@
 		realdir[reallen] = 0;
 	}
 
-	if (conn->vfs_ops.readlink(conn, name, flink, sizeof(pstring) -1) != -1) {
+	if( (linklen = conn->vfs_ops.readlink(conn, name, flink, sizeof(pstring) -1)) != -1 ) {
+		flink[linklen] = '\0';
 		DEBUG(3,("reduce_name: file path name %s is a symlink\nChecking it's path\n", name));
 		if (*flink == '/') {
 			pstrcpy(cleanlink, flink);
 		} else {
-			pstrcpy(cleanlink, realdir);
+			char* cp;
+			pstrcpy( cleanlink, name );
+			if( (cp = strrchr( cleanlink, '/' )) != NULL )
+			  *cp = '\0';
 			pstrcat(cleanlink, "/");
 			pstrcat(cleanlink, flink);
 		}

>Release-Note:
>Audit-Trail:
>Unformatted: