Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 24 May 2018 14:50:14 +0000
From:      bugzilla-noreply@freebsd.org
To:        ports-bugs@FreeBSD.org
Subject:   [Bug 228462] Samba's vfs_streams_xattr triggers corruption of first byte in AFP_AfpInfo stream/xattr
Message-ID:  <bug-228462-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D228462

            Bug ID: 228462
           Summary: Samba's vfs_streams_xattr triggers corruption of first
                    byte in AFP_AfpInfo stream/xattr
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs@FreeBSD.org
          Reporter: slow@samba.org

The Samba FreeBSD port patch
https://svnweb.freebsd.org/ports/head/net/samba47/files/patch-source3__modu=
les__vfs_streams_xattr.c?revision=3D464431&view=3Dmarkup
changes vfs_streams_xattr to not read and write an additional trailing byte=
 (cf
the comment lines containing "// ? -1" in the patch), but when creating a
stream the trailing byte is still stored (cf streams_xattr_open() the code
after the comment "Darn, xattrs need at least 1 byte").

Due to a vicious interaction with a bug that is present in the latest macOS
10.13.4 (not sure about earlier versions) what happens is this:

- the client send a request to create a stream "file:AFP_AfpInfo"

- the server creates the xattr for the stream and writes a 0 byte

- the client sends a request to read 60 bytes at offset 0 from the stream

- the server returns a one byte sized buffer containing a 0 instead of
returning nread=3D0 and status=3DNT_STATUS_END_OF_FILE

- the final nail in the coffin is that the client, when writing the AFP_Afp=
Info
blob whos first four byte start with a magic string "AFP" takes the 0 byte =
the
server returned and overwrites the first byte of the magic string

The fix for this twofold: first, we must fix vfs_streams_xattr to not store=
 an
initial zero byte when creating an xattr. Second, we must prepare vfs_fruit=
 to
allow such broken AFP_AfpInfo blobs, otherwise users who adding vfs_fruit r=
un
into the issue that vfs_fruit has a builtin check for the magic string...

Have patch, need bug number...

Fwiw, this is a bug only present in the FreeBSD Samba port.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-228462-7788>