smbd: Protect smbd_smb2_getinfo_send() against invalid quota files

author Volker Lendecke <vl@samba.org>

Fri, 22 May 2020 12:41:27 +0000 (14:41 +0200)

committer Stefan Metzmacher <metze@samba.org>

Fri, 29 May 2020 09:55:10 +0000 (09:55 +0000)
author Volker Lendecke <vl@samba.org>
Fri, 22 May 2020 12:41:27 +0000 (14:41 +0200)
committer Stefan Metzmacher <metze@samba.org>
Fri, 29 May 2020 09:55:10 +0000 (09:55 +0000)
diff --git a/selftest/knownfail.d/quota1 b/selftest/knownfail.d/quota1

index 4872f78746dc62d2de1eac0f788877ab9dc16898..a36f3252f8f8cf58c89435ae2d6a88f366057cf7 100644 (file)
--- a/selftest/knownfail.d/quota1
+++ b/selftest/knownfail.d/quota1
@@ -1,4 +1,2 @@
-^samba3.smbtorture_s3.crypt_client.SMB2-QUOTA1.smbtorture\(nt4_dc_smb1\)
-^samba3.smbtorture_s3.plain.SMB2-QUOTA1.smbtorture\(fileserver\)
  # ntvfs returns NT_STATUS_NOT_SUPPORTED
  ^samba3.smbtorture_s3.plain.SMB2-QUOTA1.smbtorture\(ad_dc_ntvfs\)
diff --git a/source3/smbd/smb2_getinfo.c b/source3/smbd/smb2_getinfo.c

index 01aedbf8e2e2e0961f0da4160e8cf731f9d68f97..f4fb7ce0b231f660ca8e0c774de642858692f803 100644 (file)
--- a/source3/smbd/smb2_getinfo.c
+++ b/source3/smbd/smb2_getinfo.c
@@ -547,12 +547,21 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx,
                 struct ndr_pull *ndr_pull = NULL;
                 DATA_BLOB sid_buf = data_blob_null;
                 TALLOC_CTX *tmp_ctx = talloc_init("geninfo_quota");
+               bool ok;
  
                 if (!tmp_ctx) {
                         tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
                         return tevent_req_post(req, ev);
                 }
  
+               ok = check_fsp_ntquota_handle(conn, smbreq, fsp);
+               if (!ok) {
+                       DBG_INFO("no valid QUOTA HANDLE\n");
+                       TALLOC_FREE(tmp_ctx);
+                       tevent_req_nterror(req, NT_STATUS_INVALID_HANDLE);
+                       return tevent_req_post(req, ev);
+               }
+
                 ndr_pull = ndr_pull_init_blob(&in_input_buffer, tmp_ctx);
                 if (!ndr_pull) {
                         TALLOC_FREE(tmp_ctx);
author	Volker Lendecke <vl@samba.org>
	Fri, 22 May 2020 12:41:27 +0000 (14:41 +0200)
committer	Stefan Metzmacher <metze@samba.org>
	Fri, 29 May 2020 09:55:10 +0000 (09:55 +0000)
selftest/knownfail.d/quota1		patch \| blob \| history
source3/smbd/smb2_getinfo.c		patch \| blob \| history