*/
#include "includes.h"
+#include "libsmb/namequery.h"
#include "system/filesys.h"
#include "printing.h"
#include "smbd/smbd.h"
#include "fake_file.h"
#include "rpc_client/rpc_client.h"
#include "../librpc/gen_ndr/ndr_spoolss_c.h"
-#include "../librpc/gen_ndr/open_files.h"
#include "rpc_client/cli_spoolss.h"
#include "rpc_client/init_spoolss.h"
#include "rpc_server/rpc_ncacn_np.h"
switch(siz) {
case 5:
*d++ = *s++;
- /*fall through*/
+ FALL_THROUGH;
case 4:
*d++ = *s++;
- /*fall through*/
+ FALL_THROUGH;
case 3:
*d++ = *s++;
- /*fall through*/
+ FALL_THROUGH;
case 2:
*d++ = *s++;
- /*fall through*/
+ FALL_THROUGH;
case 1:
*d++ = *s++;
break;
DEBUG(5,("init msg_type=0x%x msg_flags=0x%x\n",
msg_type, msg_flags));
- srv_send_smb(xconn, outbuf, false, 0, false, NULL);
+ if (!srv_send_smb(xconn, outbuf, false, 0, false, NULL)) {
+ exit_server_cleanly("reply_special: srv_send_smb failed.");
+ }
if (CVAL(outbuf, 0) != 0x82) {
exit_server_cleanly("invalid netbios session");
connection_struct *conn = req->conn;
const char *service = NULL;
TALLOC_CTX *ctx = talloc_tos();
- /* what the cleint thinks the device is */
+ /* what the client thinks the device is */
char *client_devicetype = NULL;
/* what the server tells the client the share represents */
const char *server_devicetype;
}
TALLOC_FREE(tcon);
+ /*
+ * This tree id is gone. Make sure we can't re-use it
+ * by accident.
+ */
+ req->tid = 0;
}
if ((passlen > MAX_PASS_LEN) || (passlen >= req->buflen)) {
struct smb_filename *smb_fname = NULL;
char *name = NULL;
NTSTATUS status;
- uint32_t ucf_flags = (req->posix_pathnames ? UCF_POSIX_PATHNAMES : 0);
+ uint32_t ucf_flags = ucf_flags_from_smb_request(req);
TALLOC_CTX *ctx = talloc_tos();
START_PROFILE(SMBcheckpath);
status = filename_convert(ctx,
conn,
- req->flags2 & FLAGS2_DFS_PATHNAMES,
name,
ucf_flags,
NULL,
+ NULL,
&smb_fname);
if (!NT_STATUS_IS_OK(status)) {
size = 0;
mtime = 0;
} else {
- uint32_t ucf_flags = (req->posix_pathnames ?
- UCF_POSIX_PATHNAMES : 0);
+ uint32_t ucf_flags = ucf_flags_from_smb_request(req);
status = filename_convert(ctx,
conn,
- req->flags2 & FLAGS2_DFS_PATHNAMES,
fname,
ucf_flags,
NULL,
+ NULL,
&smb_fname);
if (!NT_STATUS_IS_OK(status)) {
if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
time_t mtime;
const char *p;
NTSTATUS status;
- uint32_t ucf_flags = (req->posix_pathnames ? UCF_POSIX_PATHNAMES : 0);
+ uint32_t ucf_flags = ucf_flags_from_smb_request(req);
TALLOC_CTX *ctx = talloc_tos();
START_PROFILE(SMBsetatr);
status = filename_convert(ctx,
conn,
- req->flags2 & FLAGS2_DFS_PATHNAMES,
fname,
ucf_flags,
NULL,
+ NULL,
&smb_fname);
if (!NT_STATUS_IS_OK(status)) {
if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
connection_struct *conn = req->conn;
uint64_t ret;
uint64_t dfree,dsize,bsize;
+ struct smb_filename smb_fname;
START_PROFILE(SMBdskattr);
- ret = get_dfree_info(conn, ".", &bsize, &dfree, &dsize);
+ ZERO_STRUCT(smb_fname);
+ smb_fname.base_name = discard_const_p(char, ".");
+
+ if (SMB_VFS_STAT(conn, &smb_fname) != 0) {
+ reply_nterror(req, map_nt_error_from_unix(errno));
+ DBG_WARNING("stat of . failed (%s)\n", strerror(errno));
+ END_PROFILE(SMBdskattr);
+ return;
+ }
+
+ ret = get_dfree_info(conn, &smb_fname, &bsize, &dfree, &dsize);
if (ret == (uint64_t)-1) {
reply_nterror(req, map_nt_error_from_unix(errno));
END_PROFILE(SMBdskattr);
if (status_len == 0) {
struct smb_filename *smb_dname = NULL;
uint32_t ucf_flags = UCF_ALWAYS_ALLOW_WCARD_LCOMP |
- (req->posix_pathnames ? UCF_POSIX_PATHNAMES : 0);
+ ucf_flags_from_smb_request(req);
nt_status = filename_convert(ctx, conn,
- req->flags2 & FLAGS2_DFS_PATHNAMES,
path,
ucf_flags,
+ NULL,
&mask_contains_wcard,
&smb_fname);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(4,("dptr_num is %d\n",dptr_num));
- /* Initialize per SMBsearch/SMBffirst/SMBfunique operation data */
- dptr_init_search_op(dirptr);
-
if ((dirtype&0x1F) == FILE_ATTRIBUTE_VOLUME) {
char buf[DIR_STRUCT_SIZE];
memcpy(buf,status,21);
uint32_t create_options = 0;
uint32_t private_flags = 0;
NTSTATUS status;
- uint32_t ucf_flags = UCF_PREP_CREATEFILE |
- (req->posix_pathnames ? UCF_POSIX_PATHNAMES : 0);
+ uint32_t ucf_flags;
TALLOC_CTX *ctx = talloc_tos();
START_PROFILE(SMBopen);
goto out;
}
+ ucf_flags = filename_create_ucf_flags(req, create_disposition);
+
status = filename_convert(ctx,
conn,
- req->flags2 & FLAGS2_DFS_PATHNAMES,
fname,
ucf_flags,
NULL,
+ NULL,
&smb_fname);
if (!NT_STATUS_IS_OK(status)) {
if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
uint32_t create_disposition;
uint32_t create_options = 0;
uint32_t private_flags = 0;
- uint32_t ucf_flags = UCF_PREP_CREATEFILE |
- (req->posix_pathnames ? UCF_POSIX_PATHNAMES : 0);
+ uint32_t ucf_flags;
TALLOC_CTX *ctx = talloc_tos();
START_PROFILE(SMBopenX);
goto out;
}
+ ucf_flags = filename_create_ucf_flags(req, create_disposition);
+
status = filename_convert(ctx,
conn,
- req->flags2 & FLAGS2_DFS_PATHNAMES,
fname,
ucf_flags,
NULL,
+ NULL,
&smb_fname);
if (!NT_STATUS_IS_OK(status)) {
if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
uint32_t share_mode = FILE_SHARE_READ|FILE_SHARE_WRITE;
uint32_t create_disposition;
uint32_t create_options = 0;
- uint32_t ucf_flags = UCF_PREP_CREATEFILE |
- (req->posix_pathnames ? UCF_POSIX_PATHNAMES : 0);
+ uint32_t ucf_flags;
TALLOC_CTX *ctx = talloc_tos();
START_PROFILE(SMBcreate);
fattr = SVAL(req->vwv+0, 0);
oplock_request = CORE_OPLOCK_REQUEST(req->inbuf);
+ if (req->cmd == SMBmknew) {
+ /* We should fail if file exists. */
+ create_disposition = FILE_CREATE;
+ } else {
+ /* Create if file doesn't exist, truncate if it does. */
+ create_disposition = FILE_OVERWRITE_IF;
+ }
+
/* mtime. */
ft.mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+1));
goto out;
}
+ ucf_flags = filename_create_ucf_flags(req, create_disposition);
status = filename_convert(ctx,
conn,
- req->flags2 & FLAGS2_DFS_PATHNAMES,
fname,
ucf_flags,
NULL,
+ NULL,
&smb_fname);
if (!NT_STATUS_IS_OK(status)) {
if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
smb_fname_str_dbg(smb_fname)));
}
- if(req->cmd == SMBmknew) {
- /* We should fail if file exists. */
- create_disposition = FILE_CREATE;
- } else {
- /* Create if file doesn't exist, truncate if it does. */
- create_disposition = FILE_OVERWRITE_IF;
- }
-
status = SMB_VFS_CREATE_FILE(
conn, /* conn */
req, /* req */
char *s;
NTSTATUS status;
int i;
- uint32_t ucf_flags = UCF_PREP_CREATEFILE |
- (req->posix_pathnames ? UCF_POSIX_PATHNAMES : 0);
+ uint32_t ucf_flags;
TALLOC_CTX *ctx = talloc_tos();
START_PROFILE(SMBctemp);
goto out;
}
+ ucf_flags = filename_create_ucf_flags(req, FILE_CREATE);
status = filename_convert(ctx, conn,
- req->flags2 & FLAGS2_DFS_PATHNAMES,
fname,
ucf_flags,
NULL,
+ NULL,
&smb_fname);
if (!NT_STATUS_IS_OK(status)) {
if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
dirtype = FILE_ATTRIBUTE_NORMAL;
}
- status = check_name(conn, smb_fname->base_name);
+ status = check_name(conn, smb_fname);
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
}
}
- status = check_name(conn, fname_dir);
- if (!NT_STATUS_IS_OK(status)) {
- goto out;
- }
-
smb_fname_dir = synthetic_smb_fname(talloc_tos(),
fname_dir,
NULL,
goto out;
}
+ status = check_name(conn, smb_fname_dir);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
dir_hnd = OpenDir(talloc_tos(), conn, smb_fname_dir, fname_mask,
dirtype);
if (dir_hnd == NULL) {
goto out;
}
- status = check_name(conn, smb_fname->base_name);
+ status = check_name(conn, smb_fname);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(dir_hnd);
TALLOC_FREE(frame);
NTSTATUS status;
bool path_contains_wcard = False;
uint32_t ucf_flags = UCF_COND_ALLOW_WCARD_LCOMP |
- (req->posix_pathnames ? UCF_POSIX_PATHNAMES : 0);
+ ucf_flags_from_smb_request(req);
TALLOC_CTX *ctx = talloc_tos();
START_PROFILE(SMBunlink);
}
status = filename_convert(ctx, conn,
- req->flags2 & FLAGS2_DFS_PATHNAMES,
name,
ucf_flags,
+ NULL,
&path_contains_wcard,
&smb_fname);
if (!NT_STATUS_IS_OK(status)) {
(uint64_t)startpos, (uint64_t)maxcount, READ_LOCK,
&lock);
- if (!SMB_VFS_STRICT_LOCK(conn, fsp, &lock)) {
+ if (!SMB_VFS_STRICT_LOCK_CHECK(conn, fsp, &lock)) {
reply_readbraw_error(xconn);
END_PROFILE(SMBreadbraw);
return;
DEBUG(5,("reply_readbraw finished\n"));
- SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock);
-
END_PROFILE(SMBreadbraw);
return;
}
(uint64_t)startpos, (uint64_t)numtoread, READ_LOCK,
&lock);
- if (!SMB_VFS_STRICT_LOCK(conn, fsp, &lock)) {
+ if (!SMB_VFS_STRICT_LOCK_CHECK(conn, fsp, &lock)) {
reply_nterror(req, NT_STATUS_FILE_LOCK_CONFLICT);
END_PROFILE(SMBread);
return;
if (nread < 0) {
reply_nterror(req, map_nt_error_from_unix(errno));
- goto strict_unlock;
+ goto out;
}
srv_set_message((char *)req->outbuf, 5, nread+3, False);
DEBUG(3, ("read %s num=%d nread=%d\n",
fsp_fnum_dbg(fsp), (int)numtoread, (int)nread));
-strict_unlock:
- SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock);
-
+out:
END_PROFILE(SMBread);
return;
}
Setup readX header.
****************************************************************************/
-int setup_readX_header(char *outbuf, size_t smb_maxcnt)
+size_t setup_readX_header(char *outbuf, size_t smb_maxcnt)
{
- int outsize;
+ size_t outsize;
outsize = srv_set_message(outbuf,12,smb_maxcnt + 1 /* padding byte */,
False);
+ 2 /* the buflen field */
+ 1); /* padding byte */
SSVAL(outbuf,smb_vwv7,(smb_maxcnt >> 16));
- SSVAL(outbuf,smb_vwv11,smb_maxcnt);
SCVAL(smb_buf(outbuf), 0, 0); /* padding byte */
/* Reset the outgoing length, set_message truncates at 0x1FFFF. */
_smb_setlen_large(outbuf,
(uint64_t)startpos, (uint64_t)smb_maxcnt, READ_LOCK,
&lock);
- if (!SMB_VFS_STRICT_LOCK(conn, fsp, &lock)) {
+ if (!SMB_VFS_STRICT_LOCK_CHECK(conn, fsp, &lock)) {
reply_nterror(req, NT_STATUS_FILE_LOCK_CONFLICT);
return;
}
if(fsp_stat(fsp) == -1) {
reply_nterror(req, map_nt_error_from_unix(errno));
- goto strict_unlock;
+ goto out;
}
if (!S_ISREG(fsp->fsp_name->st.st_ex_mode) ||
DEBUG(3, ("send_file_readX: fake_sendfile %s max=%d nread=%d\n",
fsp_fnum_dbg(fsp), (int)smb_maxcnt, (int)nread));
/* No outbuf here means successful sendfile. */
- goto strict_unlock;
+ goto out;
}
DEBUG(0,("send_file_readX: sendfile failed for file "
/* No outbuf here means successful sendfile. */
SMB_PERFCOUNT_SET_MSGLEN_OUT(&req->pcd, nread);
SMB_PERFCOUNT_END(&req->pcd);
- goto strict_unlock;
+ goto out;
}
normal_read:
errno = saved_errno;
exit_server_cleanly("send_file_readX: fake_sendfile failed");
}
- goto strict_unlock;
+ goto out;
}
nosendfile_read:
startpos, smb_maxcnt);
saved_errno = errno;
- SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock);
-
if (nread < 0) {
reply_nterror(req, map_nt_error_from_unix(saved_errno));
return;
fsp_fnum_dbg(fsp), (int)smb_maxcnt, (int)nread));
return;
- strict_unlock:
- SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock);
+out:
TALLOC_FREE(req->outbuf);
return;
}
}
/* Ensure we don't write bytes past the end of this packet. */
+ /*
+ * This already protects us against CVE-2017-12163.
+ */
if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
error_to_writebrawerr(req);
(uint64_t)startpos, (uint64_t)tcount, WRITE_LOCK,
&lock);
- if (!SMB_VFS_STRICT_LOCK(conn, fsp, &lock)) {
+ if (!SMB_VFS_STRICT_LOCK_CHECK(conn, fsp, &lock)) {
reply_nterror(req, NT_STATUS_FILE_LOCK_CONFLICT);
error_to_writebrawerr(req);
END_PROFILE(SMBwritebraw);
if (nwritten < (ssize_t)numtowrite) {
reply_nterror(req, NT_STATUS_DISK_FULL);
error_to_writebrawerr(req);
- goto strict_unlock;
+ goto out;
}
total_written = nwritten;
if (!buf) {
reply_nterror(req, NT_STATUS_NO_MEMORY);
error_to_writebrawerr(req);
- goto strict_unlock;
+ goto out;
}
/* Return a SMBwritebraw message to the redirector to tell
exit_server_cleanly("secondary writebraw failed");
}
+ /*
+ * We are not vulnerable to CVE-2017-12163
+ * here as we are guarenteed to have numtowrite
+ * bytes available - we just read from the client.
+ */
nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);
if (nwritten == -1) {
TALLOC_FREE(buf);
reply_nterror(req, map_nt_error_from_unix(errno));
error_to_writebrawerr(req);
- goto strict_unlock;
+ goto out;
}
if (nwritten < (ssize_t)numtowrite) {
fsp_str_dbg(fsp), nt_errstr(status)));
reply_nterror(req, status);
error_to_writebrawerr(req);
- goto strict_unlock;
+ goto out;
}
DEBUG(3,("reply_writebraw: secondart write %s start=%.0f num=%d "
fsp_fnum_dbg(fsp), (double)startpos, (int)numtowrite,
(int)total_written));
- if (!fsp->print_file) {
- SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock);
- }
-
/* We won't return a status if write through is not selected - this
* follows what WfWg does */
END_PROFILE(SMBwritebraw);
}
return;
-strict_unlock:
- if (!fsp->print_file) {
- SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock);
- }
-
+out:
END_PROFILE(SMBwritebraw);
return;
}
connection_struct *conn = req->conn;
ssize_t nwritten = -1;
size_t numtowrite;
+ size_t remaining;
off_t startpos;
const char *data;
NTSTATUS status = NT_STATUS_OK;
startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
data = (const char *)req->buf + 3;
+ /*
+ * Ensure client isn't asking us to write more than
+ * they sent. CVE-2017-12163.
+ */
+ remaining = smbreq_bufrem(req, data);
+ if (numtowrite > remaining) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBwriteunlock);
+ return;
+ }
+
if (!fsp->print_file && numtowrite > 0) {
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
&lock);
- if (!SMB_VFS_STRICT_LOCK(conn, fsp, &lock)) {
+ if (!SMB_VFS_STRICT_LOCK_CHECK(conn, fsp, &lock)) {
reply_nterror(req, NT_STATUS_FILE_LOCK_CONFLICT);
END_PROFILE(SMBwriteunlock);
return;
DEBUG(5,("reply_writeunlock: sync_file for %s returned %s\n",
fsp_str_dbg(fsp), nt_errstr(status)));
reply_nterror(req, status);
- goto strict_unlock;
+ goto out;
}
if(nwritten < 0) {
reply_nterror(req, map_nt_error_from_unix(saved_errno));
- goto strict_unlock;
+ goto out;
}
if((nwritten < numtowrite) && (numtowrite != 0)) {
reply_nterror(req, NT_STATUS_DISK_FULL);
- goto strict_unlock;
+ goto out;
}
if (numtowrite && !fsp->print_file) {
if (NT_STATUS_V(status)) {
reply_nterror(req, status);
- goto strict_unlock;
+ goto out;
}
}
DEBUG(3, ("writeunlock %s num=%d wrote=%d\n",
fsp_fnum_dbg(fsp), (int)numtowrite, (int)nwritten));
-strict_unlock:
- if (numtowrite && !fsp->print_file) {
- SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock);
- }
-
+out:
END_PROFILE(SMBwriteunlock);
return;
}
{
connection_struct *conn = req->conn;
size_t numtowrite;
+ size_t remaining;
ssize_t nwritten = -1;
off_t startpos;
const char *data;
startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
data = (const char *)req->buf + 3;
+ /*
+ * Ensure client isn't asking us to write more than
+ * they sent. CVE-2017-12163.
+ */
+ remaining = smbreq_bufrem(req, data);
+ if (numtowrite > remaining) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBwrite);
+ return;
+ }
+
if (!fsp->print_file) {
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
&lock);
- if (!SMB_VFS_STRICT_LOCK(conn, fsp, &lock)) {
+ if (!SMB_VFS_STRICT_LOCK_CHECK(conn, fsp, &lock)) {
reply_nterror(req, NT_STATUS_FILE_LOCK_CONFLICT);
END_PROFILE(SMBwrite);
return;
nwritten = vfs_allocate_file_space(fsp, (off_t)startpos);
if (nwritten < 0) {
reply_nterror(req, NT_STATUS_DISK_FULL);
- goto strict_unlock;
+ goto out;
}
nwritten = vfs_set_filelen(fsp, (off_t)startpos);
if (nwritten < 0) {
reply_nterror(req, NT_STATUS_DISK_FULL);
- goto strict_unlock;
+ goto out;
}
trigger_write_time_update_immediate(fsp);
} else {
DEBUG(5,("reply_write: sync_file for %s returned %s\n",
fsp_str_dbg(fsp), nt_errstr(status)));
reply_nterror(req, status);
- goto strict_unlock;
+ goto out;
}
if(nwritten < 0) {
reply_nterror(req, map_nt_error_from_unix(saved_errno));
- goto strict_unlock;
+ goto out;
}
if((nwritten == 0) && (numtowrite != 0)) {
reply_nterror(req, NT_STATUS_DISK_FULL);
- goto strict_unlock;
+ goto out;
}
reply_outbuf(req, 1, 0);
DEBUG(3, ("write %s num=%d wrote=%d\n", fsp_fnum_dbg(fsp), (int)numtowrite, (int)nwritten));
-strict_unlock:
- if (!fsp->print_file) {
- SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock);
- }
-
+out:
END_PROFILE(SMBwrite);
return;
}
goto out;
}
} else {
+ /*
+ * This already protects us against CVE-2017-12163.
+ */
if (smb_doff > smblen || smb_doff + numtowrite < numtowrite ||
smb_doff + numtowrite > smblen) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
&lock);
- if (!SMB_VFS_STRICT_LOCK(conn, fsp, &lock)) {
+ if (!SMB_VFS_STRICT_LOCK_CHECK(conn, fsp, &lock)) {
reply_nterror(req, NT_STATUS_FILE_LOCK_CONFLICT);
goto out;
}
nwritten = write_file(req,fsp,data,startpos,numtowrite);
saved_errno = errno;
-
- SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock);
}
if(nwritten < 0) {
return;
}
+static struct files_struct *file_sync_one_fn(struct files_struct *fsp,
+ void *private_data)
+{
+ connection_struct *conn = talloc_get_type_abort(
+ private_data, connection_struct);
+
+ if (conn != fsp->conn) {
+ return NULL;
+ }
+ if (fsp->fh->fd == -1) {
+ return NULL;
+ }
+ sync_file(conn, fsp, True /* write through */);
+
+ return NULL;
+}
+
/****************************************************************************
Reply to a flush.
****************************************************************************/
}
if (!fsp) {
- file_sync_all(conn);
+ files_forall(req->sconn, file_sync_one_fn, conn);
} else {
NTSTATUS status = sync_file(conn, fsp, True);
if (!NT_STATUS_IS_OK(status)) {
*/
fsp->deferred_close = tevent_wait_send(
- fsp, fsp->conn->sconn->ev_ctx);
+ fsp, req->ev_ctx);
if (fsp->deferred_close == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
{
connection_struct *conn = req->conn;
size_t numtowrite;
+ size_t remaining;
ssize_t nwritten = -1;
NTSTATUS close_status = NT_STATUS_OK;
off_t startpos;
mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
data = (const char *)req->buf + 1;
+ /*
+ * Ensure client isn't asking us to write more than
+ * they sent. CVE-2017-12163.
+ */
+ remaining = smbreq_bufrem(req, data);
+ if (numtowrite > remaining) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBwriteclose);
+ return;
+ }
+
if (fsp->print_file == NULL) {
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
&lock);
- if (!SMB_VFS_STRICT_LOCK(conn, fsp, &lock)) {
+ if (!SMB_VFS_STRICT_LOCK_CHECK(conn, fsp, &lock)) {
reply_nterror(req, NT_STATUS_FILE_LOCK_CONFLICT);
END_PROFILE(SMBwriteclose);
return;
nwritten = write_file(req,fsp,data,startpos,numtowrite);
- if (fsp->print_file == NULL) {
- SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock);
- }
-
set_close_write_time(fsp, mtime);
/*
ZERO_STRUCT(handle);
- status = rpc_pipe_open_interface(conn,
+ status = rpc_pipe_open_interface(mem_ctx,
&ndr_table_spoolss,
conn->session_info,
conn->sconn->remote_address,
+ conn->sconn->local_address,
conn->sconn->msg_ctx,
&cli);
if (!NT_STATUS_IS_OK(status)) {
numtowrite = SVAL(req->buf, 1);
+ /*
+ * This already protects us against CVE-2017-12163.
+ */
if (req->buflen < numtowrite + 3) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
END_PROFILE(SMBsplwr);
struct smb_filename *smb_dname = NULL;
char *directory = NULL;
NTSTATUS status;
- uint32_t ucf_flags = UCF_PREP_CREATEFILE |
- (req->posix_pathnames ? UCF_POSIX_PATHNAMES : 0);
+ uint32_t ucf_flags;
TALLOC_CTX *ctx = talloc_tos();
START_PROFILE(SMBmkdir);
goto out;
}
+ ucf_flags = filename_create_ucf_flags(req, FILE_CREATE);
status = filename_convert(ctx, conn,
- req->flags2 & FLAGS2_DFS_PATHNAMES,
directory,
ucf_flags,
NULL,
+ NULL,
&smb_dname);
if (!NT_STATUS_IS_OK(status)) {
if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
TALLOC_CTX *ctx = talloc_tos();
files_struct *fsp = NULL;
int info = 0;
- uint32_t ucf_flags = (req->posix_pathnames ? UCF_POSIX_PATHNAMES : 0);
+ uint32_t ucf_flags = ucf_flags_from_smb_request(req);
struct smbd_server_connection *sconn = req->sconn;
START_PROFILE(SMBrmdir);
}
status = filename_convert(ctx, conn,
- req->flags2 & FLAGS2_DFS_PATHNAMES,
directory,
ucf_flags,
NULL,
+ NULL,
&smb_dname);
if (!NT_STATUS_IS_OK(status)) {
if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
struct smb_filename *smb_fname_dst = NULL;
NTSTATUS status = NT_STATUS_OK;
struct share_mode_lock *lck = NULL;
+ uint32_t access_mask = SEC_DIR_ADD_FILE;
bool dst_exists, old_is_stream, new_is_stream;
- status = check_name(conn, smb_fname_dst_in->base_name);
+ status = check_name(conn, smb_fname_dst_in);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
return status;
}
+ if (file_has_open_streams(fsp)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
/* Make a copy of the dst smb_fname structs */
smb_fname_dst = cp_smb_filename(ctx, smb_fname_dst_in);
if (rename_path_prefix_equal(fsp->fsp_name, smb_fname_dst)) {
status = NT_STATUS_ACCESS_DENIED;
+ goto out;
+ }
+
+ /* Do we have rights to move into the destination ? */
+ if (S_ISDIR(fsp->fsp_name->st.st_ex_mode)) {
+ /* We're moving a directory. */
+ access_mask = SEC_DIR_ADD_SUBDIR;
+ }
+ status = check_parent_access(conn,
+ smb_fname_dst,
+ access_mask);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_INFO("check_parent_access on "
+ "dst %s returned %s\n",
+ smb_fname_str_dbg(smb_fname_dst),
+ nt_errstr(status));
+ goto out;
}
lck = get_existing_share_mode_lock(talloc_tos(), fsp->file_id);
status = can_set_delete_on_close(fsp, 0);
if (NT_STATUS_IS_OK(status)) {
- /* Note that here we set the *inital* delete on close flag,
+ /* Note that here we set the *initial* delete on close flag,
* not the regular one. The magic gets handled in close. */
fsp->initial_delete_on_close = True;
}
}
}
- status = check_name(conn, fname_src_dir);
- if (!NT_STATUS_IS_OK(status)) {
- goto out;
- }
-
smb_fname_src_dir = synthetic_smb_fname(talloc_tos(),
fname_src_dir,
NULL,
goto out;
}
+ status = check_name(conn, smb_fname_src_dir);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
dir_hnd = OpenDir(talloc_tos(), conn, smb_fname_src_dir, fname_src_mask,
attrs);
if (dir_hnd == NULL) {
TALLOC_CTX *ctx = talloc_tos();
struct smb_filename *smb_fname_src = NULL;
struct smb_filename *smb_fname_dst = NULL;
- uint32_t src_ucf_flags = (req->posix_pathnames ?
- (UCF_UNIX_NAME_LOOKUP|UCF_POSIX_PATHNAMES) :
- UCF_COND_ALLOW_WCARD_LCOMP);
- uint32_t dst_ucf_flags = UCF_SAVE_LCOMP |
- (req->posix_pathnames ? UCF_POSIX_PATHNAMES :
- UCF_COND_ALLOW_WCARD_LCOMP);
+ uint32_t src_ucf_flags = ucf_flags_from_smb_request(req) |
+ (req->posix_pathnames ?
+ UCF_UNIX_NAME_LOOKUP :
+ UCF_COND_ALLOW_WCARD_LCOMP);
+ uint32_t dst_ucf_flags = ucf_flags_from_smb_request(req) |
+ UCF_SAVE_LCOMP |
+ (req->posix_pathnames ?
+ 0 :
+ UCF_COND_ALLOW_WCARD_LCOMP);
bool stream_rename = false;
START_PROFILE(SMBmv);
status = filename_convert(ctx,
conn,
- req->flags2 & FLAGS2_DFS_PATHNAMES,
name,
src_ucf_flags,
+ NULL,
&src_has_wcard,
&smb_fname_src);
status = filename_convert(ctx,
conn,
- req->flags2 & FLAGS2_DFS_PATHNAMES,
newname,
dst_ucf_flags,
+ NULL,
&dest_has_wcard,
&smb_fname_dst);
bool dest_has_wild = False;
NTSTATUS status;
uint32_t ucf_flags_src = UCF_COND_ALLOW_WCARD_LCOMP |
- (req->posix_pathnames ? UCF_POSIX_PATHNAMES : 0);
+ ucf_flags_from_smb_request(req);
uint32_t ucf_flags_dst = UCF_COND_ALLOW_WCARD_LCOMP |
- (req->posix_pathnames ? UCF_POSIX_PATHNAMES : 0);
+ ucf_flags_from_smb_request(req);
TALLOC_CTX *ctx = talloc_tos();
START_PROFILE(SMBcopy);
}
status = filename_convert(ctx, conn,
- req->flags2 & FLAGS2_DFS_PATHNAMES,
fname_src,
ucf_flags_src,
+ NULL,
&source_has_wild,
&smb_fname_src);
if (!NT_STATUS_IS_OK(status)) {
}
status = filename_convert(ctx, conn,
- req->flags2 & FLAGS2_DFS_PATHNAMES,
fname_dst,
ucf_flags_dst,
+ NULL,
&dest_has_wild,
&smb_fname_dst);
if (!NT_STATUS_IS_OK(status)) {
smb_fname_dst->base_name = fname_dst_mod;
}
- status = check_name(conn, smb_fname_src->base_name);
+ status = check_name(conn, smb_fname_src);
if (!NT_STATUS_IS_OK(status)) {
reply_nterror(req, status);
goto out;
}
- status = check_name(conn, smb_fname_dst->base_name);
+ status = check_name(conn, smb_fname_dst);
if (!NT_STATUS_IS_OK(status)) {
reply_nterror(req, status);
goto out;
}
}
- status = check_name(conn, fname_src_dir);
- if (!NT_STATUS_IS_OK(status)) {
- reply_nterror(req, status);
- goto out;
- }
-
smb_fname_src_dir = synthetic_smb_fname(talloc_tos(),
fname_src_dir,
NULL,
goto out;
}
+ status = check_name(conn, smb_fname_src_dir);
+ if (!NT_STATUS_IS_OK(status)) {
+ reply_nterror(req, status);
+ goto out;
+ }
+
dir_hnd = OpenDir(ctx,
conn,
smb_fname_src_dir,
TALLOC_FREE(smb_fname_dst->base_name);
smb_fname_dst->base_name = destname;
- status = check_name(conn, smb_fname_src->base_name);
+ status = check_name(conn, smb_fname_src);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(dir_hnd);
TALLOC_FREE(talloced);
goto out;
}
- status = check_name(conn, smb_fname_dst->base_name);
+ status = check_name(conn, smb_fname_dst);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(dir_hnd);
TALLOC_FREE(talloced);