Fix spelling mistakes

[bbaumbach/samba-autobuild/.git] / source3 / smbd / reply.c

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 6acbaca416548b8af218bcde6f740fc67e45f5cc..f2617fab3b3719ceb748d1d870e329a09cdd149d 100644 (file)
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -25,6 +25,7 @@
 */
 
 #include "includes.h"
+#include "libsmb/namequery.h"
 #include "system/filesys.h"
 #include "printing.h"
 #include "smbd/smbd.h"
@@ -32,7 +33,6 @@
 #include "fake_file.h"
 #include "rpc_client/rpc_client.h"
 #include "../librpc/gen_ndr/ndr_spoolss_c.h"
-#include "../librpc/gen_ndr/open_files.h"
 #include "rpc_client/cli_spoolss.h"
 #include "rpc_client/init_spoolss.h"
 #include "rpc_server/rpc_ncacn_np.h"
@@ -190,16 +190,16 @@ static NTSTATUS check_path_syntax_internal(char *path,
                        switch(siz) {
                                case 5:
                                        *d++ = *s++;
-                                       /*fall through*/
+                                       FALL_THROUGH;
                                case 4:
                                        *d++ = *s++;
-                                       /*fall through*/
+                                       FALL_THROUGH;
                                case 3:
                                        *d++ = *s++;
-                                       /*fall through*/
+                                       FALL_THROUGH;
                                case 2:
                                        *d++ = *s++;
-                                       /*fall through*/
+                                       FALL_THROUGH;
                                case 1:
                                        *d++ = *s++;
                                        break;
@@ -779,7 +779,9 @@ void reply_special(struct smbXsrv_connection *xconn, char *inbuf, size_t inbuf_s
        DEBUG(5,("init msg_type=0x%x msg_flags=0x%x\n",
                    msg_type, msg_flags));
 
-       srv_send_smb(xconn, outbuf, false, 0, false, NULL);
+       if (!srv_send_smb(xconn, outbuf, false, 0, false, NULL)) {
+               exit_server_cleanly("reply_special: srv_send_smb failed.");
+       }
 
        if (CVAL(outbuf, 0) != 0x82) {
                exit_server_cleanly("invalid netbios session");
@@ -867,7 +869,7 @@ void reply_tcon_and_X(struct smb_request *req)
        connection_struct *conn = req->conn;
        const char *service = NULL;
        TALLOC_CTX *ctx = talloc_tos();
-       /* what the cleint thinks the device is */
+       /* what the client thinks the device is */
        char *client_devicetype = NULL;
        /* what the server tells the client the share represents */
        const char *server_devicetype;
@@ -921,6 +923,11 @@ void reply_tcon_and_X(struct smb_request *req)
                }
 
                TALLOC_FREE(tcon);
+               /*
+                * This tree id is gone. Make sure we can't re-use it
+                * by accident.
+                */
+               req->tid = 0;
        }
 
        if ((passlen > MAX_PASS_LEN) || (passlen >= req->buflen)) {
@@ -1276,7 +1283,7 @@ void reply_checkpath(struct smb_request *req)
        struct smb_filename *smb_fname = NULL;
        char *name = NULL;
        NTSTATUS status;
-       uint32_t ucf_flags = (req->posix_pathnames ? UCF_POSIX_PATHNAMES : 0);
+       uint32_t ucf_flags = ucf_flags_from_smb_request(req);
        TALLOC_CTX *ctx = talloc_tos();
 
        START_PROFILE(SMBcheckpath);
@@ -1295,10 +1302,10 @@ void reply_checkpath(struct smb_request *req)
 
        status = filename_convert(ctx,
                                conn,
-                               req->flags2 & FLAGS2_DFS_PATHNAMES,
                                name,
                                ucf_flags,
                                NULL,
+                               NULL,
                                &smb_fname);
 
        if (!NT_STATUS_IS_OK(status)) {
@@ -1391,14 +1398,13 @@ void reply_getatr(struct smb_request *req)
                size = 0;
                mtime = 0;
        } else {
-               uint32_t ucf_flags = (req->posix_pathnames ?
-                               UCF_POSIX_PATHNAMES : 0);
+               uint32_t ucf_flags = ucf_flags_from_smb_request(req);
                status = filename_convert(ctx,
                                conn,
-                               req->flags2 & FLAGS2_DFS_PATHNAMES,
                                fname,
                                ucf_flags,
                                NULL,
+                               NULL,
                                &smb_fname);
                if (!NT_STATUS_IS_OK(status)) {
                        if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
@@ -1478,7 +1484,7 @@ void reply_setatr(struct smb_request *req)
        time_t mtime;
        const char *p;
        NTSTATUS status;
-       uint32_t ucf_flags = (req->posix_pathnames ? UCF_POSIX_PATHNAMES : 0);
+       uint32_t ucf_flags = ucf_flags_from_smb_request(req);
        TALLOC_CTX *ctx = talloc_tos();
 
        START_PROFILE(SMBsetatr);
@@ -1499,10 +1505,10 @@ void reply_setatr(struct smb_request *req)
 
        status = filename_convert(ctx,
                                conn,
-                               req->flags2 & FLAGS2_DFS_PATHNAMES,
                                fname,
                                ucf_flags,
                                NULL,
+                               NULL,
                                &smb_fname);
        if (!NT_STATUS_IS_OK(status)) {
                if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
@@ -1796,11 +1802,11 @@ void reply_search(struct smb_request *req)
        if (status_len == 0) {
                struct smb_filename *smb_dname = NULL;
                uint32_t ucf_flags = UCF_ALWAYS_ALLOW_WCARD_LCOMP |
-                       (req->posix_pathnames ? UCF_POSIX_PATHNAMES : 0);
+                       ucf_flags_from_smb_request(req);
                nt_status = filename_convert(ctx, conn,
-                                            req->flags2 & FLAGS2_DFS_PATHNAMES,
                                             path,
                                             ucf_flags,
+                                            NULL,
                                             &mask_contains_wcard,
                                             &smb_fname);
                if (!NT_STATUS_IS_OK(nt_status)) {
@@ -1899,9 +1905,6 @@ void reply_search(struct smb_request *req)
 
        DEBUG(4,("dptr_num is %d\n",dptr_num));
 
-       /* Initialize per SMBsearch/SMBffirst/SMBfunique operation data */
-       dptr_init_search_op(dirptr);
-
        if ((dirtype&0x1F) == FILE_ATTRIBUTE_VOLUME) {
                char buf[DIR_STRUCT_SIZE];
                memcpy(buf,status,21);
@@ -2144,10 +2147,10 @@ void reply_open(struct smb_request *req)
 
        status = filename_convert(ctx,
                                conn,
-                               req->flags2 & FLAGS2_DFS_PATHNAMES,
                                fname,
                                ucf_flags,
                                NULL,
+                               NULL,
                                &smb_fname);
        if (!NT_STATUS_IS_OK(status)) {
                if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
@@ -2317,10 +2320,10 @@ void reply_open_and_X(struct smb_request *req)
 
        status = filename_convert(ctx,
                                conn,
-                               req->flags2 & FLAGS2_DFS_PATHNAMES,
                                fname,
                                ucf_flags,
                                NULL,
+                               NULL,
                                &smb_fname);
        if (!NT_STATUS_IS_OK(status)) {
                if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
@@ -2562,10 +2565,10 @@ void reply_mknew(struct smb_request *req)
        ucf_flags = filename_create_ucf_flags(req, create_disposition);
        status = filename_convert(ctx,
                                conn,
-                               req->flags2 & FLAGS2_DFS_PATHNAMES,
                                fname,
                                ucf_flags,
                                NULL,
+                               NULL,
                                &smb_fname);
        if (!NT_STATUS_IS_OK(status)) {
                if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
@@ -2699,10 +2702,10 @@ void reply_ctemp(struct smb_request *req)
 
                ucf_flags = filename_create_ucf_flags(req, FILE_CREATE);
                status = filename_convert(ctx, conn,
-                               req->flags2 & FLAGS2_DFS_PATHNAMES,
                                fname,
                                ucf_flags,
                                NULL,
+                               NULL,
                                &smb_fname);
                if (!NT_STATUS_IS_OK(status)) {
                        if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
@@ -3060,7 +3063,7 @@ NTSTATUS unlink_internals(connection_struct *conn, struct smb_request *req,
                        dirtype = FILE_ATTRIBUTE_NORMAL;
                }
 
-               status = check_name(conn, smb_fname->base_name);
+               status = check_name(conn, smb_fname);
                if (!NT_STATUS_IS_OK(status)) {
                        goto out;
                }
@@ -3094,11 +3097,6 @@ NTSTATUS unlink_internals(connection_struct *conn, struct smb_request *req,
                        }
                }
 
-               status = check_name(conn, fname_dir);
-               if (!NT_STATUS_IS_OK(status)) {
-                       goto out;
-               }
-
                smb_fname_dir = synthetic_smb_fname(talloc_tos(),
                                        fname_dir,
                                        NULL,
@@ -3109,6 +3107,11 @@ NTSTATUS unlink_internals(connection_struct *conn, struct smb_request *req,
                        goto out;
                }
 
+               status = check_name(conn, smb_fname_dir);
+               if (!NT_STATUS_IS_OK(status)) {
+                       goto out;
+               }
+
                dir_hnd = OpenDir(talloc_tos(), conn, smb_fname_dir, fname_mask,
                                  dirtype);
                if (dir_hnd == NULL) {
@@ -3168,7 +3171,7 @@ NTSTATUS unlink_internals(connection_struct *conn, struct smb_request *req,
                                goto out;
                        }
 
-                       status = check_name(conn, smb_fname->base_name);
+                       status = check_name(conn, smb_fname);
                        if (!NT_STATUS_IS_OK(status)) {
                                TALLOC_FREE(dir_hnd);
                                TALLOC_FREE(frame);
@@ -3218,7 +3221,7 @@ void reply_unlink(struct smb_request *req)
        NTSTATUS status;
        bool path_contains_wcard = False;
        uint32_t ucf_flags = UCF_COND_ALLOW_WCARD_LCOMP |
-                       (req->posix_pathnames ? UCF_POSIX_PATHNAMES : 0);
+                       ucf_flags_from_smb_request(req);
        TALLOC_CTX *ctx = talloc_tos();
 
        START_PROFILE(SMBunlink);
@@ -3239,9 +3242,9 @@ void reply_unlink(struct smb_request *req)
        }
 
        status = filename_convert(ctx, conn,
-                                 req->flags2 & FLAGS2_DFS_PATHNAMES,
                                  name,
                                  ucf_flags,
+                                 NULL,
                                  &path_contains_wcard,
                                  &smb_fname);
        if (!NT_STATUS_IS_OK(status)) {
@@ -3687,7 +3690,7 @@ void reply_readbraw(struct smb_request *req)
            (uint64_t)startpos, (uint64_t)maxcount, READ_LOCK,
            &lock);
 
-       if (!SMB_VFS_STRICT_LOCK(conn, fsp, &lock)) {
+       if (!SMB_VFS_STRICT_LOCK_CHECK(conn, fsp, &lock)) {
                reply_readbraw_error(xconn);
                END_PROFILE(SMBreadbraw);
                return;
@@ -3719,8 +3722,6 @@ void reply_readbraw(struct smb_request *req)
 
        DEBUG(5,("reply_readbraw finished\n"));
 
-       SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock);
-
        END_PROFILE(SMBreadbraw);
        return;
 }
@@ -3900,7 +3901,7 @@ Returning short read of maximum allowed for compatibility with Windows 2000.\n",
            (uint64_t)startpos, (uint64_t)numtoread, READ_LOCK,
            &lock);
 
-       if (!SMB_VFS_STRICT_LOCK(conn, fsp, &lock)) {
+       if (!SMB_VFS_STRICT_LOCK_CHECK(conn, fsp, &lock)) {
                reply_nterror(req, NT_STATUS_FILE_LOCK_CONFLICT);
                END_PROFILE(SMBread);
                return;
@@ -3911,7 +3912,7 @@ Returning short read of maximum allowed for compatibility with Windows 2000.\n",
 
        if (nread < 0) {
                reply_nterror(req, map_nt_error_from_unix(errno));
-               goto strict_unlock;
+               goto out;
        }
 
        srv_set_message((char *)req->outbuf, 5, nread+3, False);
@@ -3924,9 +3925,7 @@ Returning short read of maximum allowed for compatibility with Windows 2000.\n",
        DEBUG(3, ("read %s num=%d nread=%d\n",
                  fsp_fnum_dbg(fsp), (int)numtoread, (int)nread));
 
-strict_unlock:
-       SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock);
-
+out:
        END_PROFILE(SMBread);
        return;
 }
@@ -3935,9 +3934,9 @@ strict_unlock:
  Setup readX header.
 ****************************************************************************/
 
-int setup_readX_header(char *outbuf, size_t smb_maxcnt)
+size_t setup_readX_header(char *outbuf, size_t smb_maxcnt)
 {
-       int outsize;
+       size_t outsize;
 
        outsize = srv_set_message(outbuf,12,smb_maxcnt + 1 /* padding byte */,
                                  False);
@@ -3978,7 +3977,7 @@ static void send_file_readX(connection_struct *conn, struct smb_request *req,
            (uint64_t)startpos, (uint64_t)smb_maxcnt, READ_LOCK,
            &lock);
 
-       if (!SMB_VFS_STRICT_LOCK(conn, fsp, &lock)) {
+       if (!SMB_VFS_STRICT_LOCK_CHECK(conn, fsp, &lock)) {
                reply_nterror(req, NT_STATUS_FILE_LOCK_CONFLICT);
                return;
        }
@@ -3999,7 +3998,7 @@ static void send_file_readX(connection_struct *conn, struct smb_request *req,
 
                if(fsp_stat(fsp) == -1) {
                        reply_nterror(req, map_nt_error_from_unix(errno));
-                       goto strict_unlock;
+                       goto out;
                }
 
                if (!S_ISREG(fsp->fsp_name->st.st_ex_mode) ||
@@ -4061,7 +4060,7 @@ static void send_file_readX(connection_struct *conn, struct smb_request *req,
                                DEBUG(3, ("send_file_readX: fake_sendfile %s max=%d nread=%d\n",
                                          fsp_fnum_dbg(fsp), (int)smb_maxcnt, (int)nread));
                                /* No outbuf here means successful sendfile. */
-                               goto strict_unlock;
+                               goto out;
                        }
 
                        DEBUG(0,("send_file_readX: sendfile failed for file "
@@ -4102,7 +4101,7 @@ static void send_file_readX(connection_struct *conn, struct smb_request *req,
                /* No outbuf here means successful sendfile. */
                SMB_PERFCOUNT_SET_MSGLEN_OUT(&req->pcd, nread);
                SMB_PERFCOUNT_END(&req->pcd);
-               goto strict_unlock;
+               goto out;
        }
 
 normal_read:
@@ -4152,7 +4151,7 @@ normal_read:
                        errno = saved_errno;
                        exit_server_cleanly("send_file_readX: fake_sendfile failed");
                }
-               goto strict_unlock;
+               goto out;
        }
 
 nosendfile_read:
@@ -4165,8 +4164,6 @@ nosendfile_read:
                          startpos, smb_maxcnt);
        saved_errno = errno;
 
-       SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock);
-
        if (nread < 0) {
                reply_nterror(req, map_nt_error_from_unix(saved_errno));
                return;
@@ -4178,8 +4175,7 @@ nosendfile_read:
                  fsp_fnum_dbg(fsp), (int)smb_maxcnt, (int)nread));
        return;
 
- strict_unlock:
-       SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock);
+out:
        TALLOC_FREE(req->outbuf);
        return;
 }
@@ -4489,6 +4485,9 @@ void reply_writebraw(struct smb_request *req)
        }
 
        /* Ensure we don't write bytes past the end of this packet. */
+       /*
+        * This already protects us against CVE-2017-12163.
+        */
        if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {
                reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
                error_to_writebrawerr(req);
@@ -4501,7 +4500,7 @@ void reply_writebraw(struct smb_request *req)
                    (uint64_t)startpos, (uint64_t)tcount, WRITE_LOCK,
                    &lock);
 
-               if (!SMB_VFS_STRICT_LOCK(conn, fsp, &lock)) {
+               if (!SMB_VFS_STRICT_LOCK_CHECK(conn, fsp, &lock)) {
                        reply_nterror(req, NT_STATUS_FILE_LOCK_CONFLICT);
                        error_to_writebrawerr(req);
                        END_PROFILE(SMBwritebraw);
@@ -4521,7 +4520,7 @@ void reply_writebraw(struct smb_request *req)
        if (nwritten < (ssize_t)numtowrite)  {
                reply_nterror(req, NT_STATUS_DISK_FULL);
                error_to_writebrawerr(req);
-               goto strict_unlock;
+               goto out;
        }
 
        total_written = nwritten;
@@ -4531,7 +4530,7 @@ void reply_writebraw(struct smb_request *req)
        if (!buf) {
                reply_nterror(req, NT_STATUS_NO_MEMORY);
                error_to_writebrawerr(req);
-               goto strict_unlock;
+               goto out;
        }
 
        /* Return a SMBwritebraw message to the redirector to tell
@@ -4589,12 +4588,17 @@ void reply_writebraw(struct smb_request *req)
                        exit_server_cleanly("secondary writebraw failed");
                }
 
+               /*
+                * We are not vulnerable to CVE-2017-12163
+                * here as we are guarenteed to have numtowrite
+                * bytes available - we just read from the client.
+                */
                nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);
                if (nwritten == -1) {
                        TALLOC_FREE(buf);
                        reply_nterror(req, map_nt_error_from_unix(errno));
                        error_to_writebrawerr(req);
-                       goto strict_unlock;
+                       goto out;
                }
 
                if (nwritten < (ssize_t)numtowrite) {
@@ -4616,7 +4620,7 @@ void reply_writebraw(struct smb_request *req)
                         fsp_str_dbg(fsp), nt_errstr(status)));
                reply_nterror(req, status);
                error_to_writebrawerr(req);
-               goto strict_unlock;
+               goto out;
        }
 
        DEBUG(3,("reply_writebraw: secondart write %s start=%.0f num=%d "
@@ -4624,10 +4628,6 @@ void reply_writebraw(struct smb_request *req)
                fsp_fnum_dbg(fsp), (double)startpos, (int)numtowrite,
                (int)total_written));
 
-       if (!fsp->print_file) {
-               SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock);
-       }
-
        /* We won't return a status if write through is not selected - this
         * follows what WfWg does */
        END_PROFILE(SMBwritebraw);
@@ -4649,11 +4649,7 @@ void reply_writebraw(struct smb_request *req)
        }
        return;
 
-strict_unlock:
-       if (!fsp->print_file) {
-               SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock);
-       }
-
+out:
        END_PROFILE(SMBwritebraw);
        return;
 }
@@ -4670,6 +4666,7 @@ void reply_writeunlock(struct smb_request *req)
        connection_struct *conn = req->conn;
        ssize_t nwritten = -1;
        size_t numtowrite;
+       size_t remaining;
        off_t startpos;
        const char *data;
        NTSTATUS status = NT_STATUS_OK;
@@ -4702,12 +4699,23 @@ void reply_writeunlock(struct smb_request *req)
        startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
        data = (const char *)req->buf + 3;
 
+       /*
+        * Ensure client isn't asking us to write more than
+        * they sent. CVE-2017-12163.
+        */
+       remaining = smbreq_bufrem(req, data);
+       if (numtowrite > remaining) {
+               reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+               END_PROFILE(SMBwriteunlock);
+               return;
+       }
+
        if (!fsp->print_file && numtowrite > 0) {
                init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
                    (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
                    &lock);
 
-               if (!SMB_VFS_STRICT_LOCK(conn, fsp, &lock)) {
+               if (!SMB_VFS_STRICT_LOCK_CHECK(conn, fsp, &lock)) {
                        reply_nterror(req, NT_STATUS_FILE_LOCK_CONFLICT);
                        END_PROFILE(SMBwriteunlock);
                        return;
@@ -4729,17 +4737,17 @@ void reply_writeunlock(struct smb_request *req)
                DEBUG(5,("reply_writeunlock: sync_file for %s returned %s\n",
                         fsp_str_dbg(fsp), nt_errstr(status)));
                reply_nterror(req, status);
-               goto strict_unlock;
+               goto out;
        }
 
        if(nwritten < 0) {
                reply_nterror(req, map_nt_error_from_unix(saved_errno));
-               goto strict_unlock;
+               goto out;
        }
 
        if((nwritten < numtowrite) && (numtowrite != 0)) {
                reply_nterror(req, NT_STATUS_DISK_FULL);
-               goto strict_unlock;
+               goto out;
        }
 
        if (numtowrite && !fsp->print_file) {
@@ -4752,7 +4760,7 @@ void reply_writeunlock(struct smb_request *req)
 
                if (NT_STATUS_V(status)) {
                        reply_nterror(req, status);
-                       goto strict_unlock;
+                       goto out;
                }
        }
 
@@ -4763,11 +4771,7 @@ void reply_writeunlock(struct smb_request *req)
        DEBUG(3, ("writeunlock %s num=%d wrote=%d\n",
                  fsp_fnum_dbg(fsp), (int)numtowrite, (int)nwritten));
 
-strict_unlock:
-       if (numtowrite && !fsp->print_file) {
-               SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock);
-       }
-
+out:
        END_PROFILE(SMBwriteunlock);
        return;
 }
@@ -4783,6 +4787,7 @@ void reply_write(struct smb_request *req)
 {
        connection_struct *conn = req->conn;
        size_t numtowrite;
+       size_t remaining;
        ssize_t nwritten = -1;
        off_t startpos;
        const char *data;
@@ -4823,12 +4828,23 @@ void reply_write(struct smb_request *req)
        startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
        data = (const char *)req->buf + 3;
 
+       /*
+        * Ensure client isn't asking us to write more than
+        * they sent. CVE-2017-12163.
+        */
+       remaining = smbreq_bufrem(req, data);
+       if (numtowrite > remaining) {
+               reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+               END_PROFILE(SMBwrite);
+               return;
+       }
+
        if (!fsp->print_file) {
                init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
                        (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
                        &lock);
 
-               if (!SMB_VFS_STRICT_LOCK(conn, fsp, &lock)) {
+               if (!SMB_VFS_STRICT_LOCK_CHECK(conn, fsp, &lock)) {
                        reply_nterror(req, NT_STATUS_FILE_LOCK_CONFLICT);
                        END_PROFILE(SMBwrite);
                        return;
@@ -4848,12 +4864,12 @@ void reply_write(struct smb_request *req)
                nwritten = vfs_allocate_file_space(fsp, (off_t)startpos);
                if (nwritten < 0) {
                        reply_nterror(req, NT_STATUS_DISK_FULL);
-                       goto strict_unlock;
+                       goto out;
                }
                nwritten = vfs_set_filelen(fsp, (off_t)startpos);
                if (nwritten < 0) {
                        reply_nterror(req, NT_STATUS_DISK_FULL);
-                       goto strict_unlock;
+                       goto out;
                }
                trigger_write_time_update_immediate(fsp);
        } else {
@@ -4865,17 +4881,17 @@ void reply_write(struct smb_request *req)
                DEBUG(5,("reply_write: sync_file for %s returned %s\n",
                         fsp_str_dbg(fsp), nt_errstr(status)));
                reply_nterror(req, status);
-               goto strict_unlock;
+               goto out;
        }
 
        if(nwritten < 0) {
                reply_nterror(req, map_nt_error_from_unix(saved_errno));
-               goto strict_unlock;
+               goto out;
        }
 
        if((nwritten == 0) && (numtowrite != 0)) {
                reply_nterror(req, NT_STATUS_DISK_FULL);
-               goto strict_unlock;
+               goto out;
        }
 
        reply_outbuf(req, 1, 0);
@@ -4889,11 +4905,7 @@ void reply_write(struct smb_request *req)
 
        DEBUG(3, ("write %s num=%d wrote=%d\n", fsp_fnum_dbg(fsp), (int)numtowrite, (int)nwritten));
 
-strict_unlock:
-       if (!fsp->print_file) {
-               SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock);
-       }
-
+out:
        END_PROFILE(SMBwrite);
        return;
 }
@@ -5049,6 +5061,9 @@ void reply_write_and_X(struct smb_request *req)
                        goto out;
                }
        } else {
+               /*
+                * This already protects us against CVE-2017-12163.
+                */
                if (smb_doff > smblen || smb_doff + numtowrite < numtowrite ||
                                smb_doff + numtowrite > smblen) {
                        reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
@@ -5121,15 +5136,13 @@ void reply_write_and_X(struct smb_request *req)
                    (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
                    &lock);
 
-               if (!SMB_VFS_STRICT_LOCK(conn, fsp, &lock)) {
+               if (!SMB_VFS_STRICT_LOCK_CHECK(conn, fsp, &lock)) {
                        reply_nterror(req, NT_STATUS_FILE_LOCK_CONFLICT);
                        goto out;
                }
 
                nwritten = write_file(req,fsp,data,startpos,numtowrite);
                saved_errno = errno;
-
-               SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock);
        }
 
        if(nwritten < 0) {
@@ -5263,6 +5276,23 @@ void reply_lseek(struct smb_request *req)
        return;
 }
 
+static struct files_struct *file_sync_one_fn(struct files_struct *fsp,
+                                            void *private_data)
+{
+       connection_struct *conn = talloc_get_type_abort(
+               private_data, connection_struct);
+
+       if (conn != fsp->conn) {
+               return NULL;
+       }
+       if (fsp->fh->fd == -1) {
+               return NULL;
+       }
+       sync_file(conn, fsp, True /* write through */);
+
+       return NULL;
+}
+
 /****************************************************************************
  Reply to a flush.
 ****************************************************************************/
@@ -5288,7 +5318,7 @@ void reply_flush(struct smb_request *req)
        }
 
        if (!fsp) {
-               file_sync_all(conn);
+               files_forall(req->sconn, file_sync_one_fn, conn);
        } else {
                NTSTATUS status = sync_file(conn, fsp, True);
                if (!NT_STATUS_IS_OK(status)) {
@@ -5387,7 +5417,7 @@ void reply_close(struct smb_request *req)
                 */
 
                fsp->deferred_close = tevent_wait_send(
-                       fsp, fsp->conn->sconn->ev_ctx);
+                       fsp, req->ev_ctx);
                if (fsp->deferred_close == NULL) {
                        status = NT_STATUS_NO_MEMORY;
                        goto done;
@@ -5477,6 +5507,7 @@ void reply_writeclose(struct smb_request *req)
 {
        connection_struct *conn = req->conn;
        size_t numtowrite;
+       size_t remaining;
        ssize_t nwritten = -1;
        NTSTATUS close_status = NT_STATUS_OK;
        off_t startpos;
@@ -5510,12 +5541,23 @@ void reply_writeclose(struct smb_request *req)
        mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
        data = (const char *)req->buf + 1;
 
+       /*
+        * Ensure client isn't asking us to write more than
+        * they sent. CVE-2017-12163.
+        */
+       remaining = smbreq_bufrem(req, data);
+       if (numtowrite > remaining) {
+               reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+               END_PROFILE(SMBwriteclose);
+               return;
+       }
+
        if (fsp->print_file == NULL) {
                init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
                    (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
                    &lock);
 
-               if (!SMB_VFS_STRICT_LOCK(conn, fsp, &lock)) {
+               if (!SMB_VFS_STRICT_LOCK_CHECK(conn, fsp, &lock)) {
                        reply_nterror(req, NT_STATUS_FILE_LOCK_CONFLICT);
                        END_PROFILE(SMBwriteclose);
                        return;
@@ -5524,10 +5566,6 @@ void reply_writeclose(struct smb_request *req)
 
        nwritten = write_file(req,fsp,data,startpos,numtowrite);
 
-       if (fsp->print_file == NULL) {
-               SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock);
-       }
-
        set_close_write_time(fsp, mtime);
 
        /*
@@ -5950,10 +5988,11 @@ void reply_printqueue(struct smb_request *req)
 
                ZERO_STRUCT(handle);
 
-               status = rpc_pipe_open_interface(conn,
+               status = rpc_pipe_open_interface(mem_ctx,
                                                 &ndr_table_spoolss,
                                                 conn->session_info,
                                                 conn->sconn->remote_address,
+                                                conn->sconn->local_address,
                                                 conn->sconn->msg_ctx,
                                                 &cli);
                if (!NT_STATUS_IS_OK(status)) {
@@ -6105,6 +6144,9 @@ void reply_printwrite(struct smb_request *req)
 
        numtowrite = SVAL(req->buf, 1);
 
+       /*
+        * This already protects us against CVE-2017-12163.
+        */
        if (req->buflen < numtowrite + 3) {
                reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
                END_PROFILE(SMBsplwr);
@@ -6149,10 +6191,10 @@ void reply_mkdir(struct smb_request *req)
 
        ucf_flags = filename_create_ucf_flags(req, FILE_CREATE);
        status = filename_convert(ctx, conn,
-                                req->flags2 & FLAGS2_DFS_PATHNAMES,
                                 directory,
                                 ucf_flags,
                                 NULL,
+                                NULL,
                                 &smb_dname);
        if (!NT_STATUS_IS_OK(status)) {
                if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
@@ -6207,7 +6249,7 @@ void reply_rmdir(struct smb_request *req)
        TALLOC_CTX *ctx = talloc_tos();
        files_struct *fsp = NULL;
        int info = 0;
-       uint32_t ucf_flags = (req->posix_pathnames ? UCF_POSIX_PATHNAMES : 0);
+       uint32_t ucf_flags = ucf_flags_from_smb_request(req);
        struct smbd_server_connection *sconn = req->sconn;
 
        START_PROFILE(SMBrmdir);
@@ -6220,10 +6262,10 @@ void reply_rmdir(struct smb_request *req)
        }
 
        status = filename_convert(ctx, conn,
-                                req->flags2 & FLAGS2_DFS_PATHNAMES,
                                 directory,
                                 ucf_flags,
                                 NULL,
+                                NULL,
                                 &smb_dname);
        if (!NT_STATUS_IS_OK(status)) {
                if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
@@ -6618,7 +6660,7 @@ NTSTATUS rename_internals_fsp(connection_struct *conn,
        uint32_t access_mask = SEC_DIR_ADD_FILE;
        bool dst_exists, old_is_stream, new_is_stream;
 
-       status = check_name(conn, smb_fname_dst_in->base_name);
+       status = check_name(conn, smb_fname_dst_in);
        if (!NT_STATUS_IS_OK(status)) {
                return status;
        }
@@ -6628,6 +6670,10 @@ NTSTATUS rename_internals_fsp(connection_struct *conn,
                return status;
        }
 
+       if (file_has_open_streams(fsp)) {
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
        /* Make a copy of the dst smb_fname structs */
 
        smb_fname_dst = cp_smb_filename(ctx, smb_fname_dst_in);
@@ -6884,7 +6930,7 @@ NTSTATUS rename_internals_fsp(connection_struct *conn,
                        status = can_set_delete_on_close(fsp, 0);
 
                        if (NT_STATUS_IS_OK(status)) {
-                               /* Note that here we set the *inital* delete on close flag,
+                               /* Note that here we set the *initial* delete on close flag,
                                 * not the regular one. The magic gets handled in close. */
                                fsp->initial_delete_on_close = True;
                        }
@@ -7097,11 +7143,6 @@ NTSTATUS rename_internals(TALLOC_CTX *ctx,
                }
        }
 
-       status = check_name(conn, fname_src_dir);
-       if (!NT_STATUS_IS_OK(status)) {
-               goto out;
-       }
-
        smb_fname_src_dir = synthetic_smb_fname(talloc_tos(),
                                fname_src_dir,
                                NULL,
@@ -7112,6 +7153,11 @@ NTSTATUS rename_internals(TALLOC_CTX *ctx,
                goto out;
        }
 
+       status = check_name(conn, smb_fname_src_dir);
+       if (!NT_STATUS_IS_OK(status)) {
+               goto out;
+       }
+
        dir_hnd = OpenDir(talloc_tos(), conn, smb_fname_src_dir, fname_src_mask,
                          attrs);
        if (dir_hnd == NULL) {
@@ -7291,12 +7337,15 @@ void reply_mv(struct smb_request *req)
        TALLOC_CTX *ctx = talloc_tos();
        struct smb_filename *smb_fname_src = NULL;
        struct smb_filename *smb_fname_dst = NULL;
-       uint32_t src_ucf_flags = (req->posix_pathnames ?
-               (UCF_UNIX_NAME_LOOKUP|UCF_POSIX_PATHNAMES) :
-               UCF_COND_ALLOW_WCARD_LCOMP);
-       uint32_t dst_ucf_flags = UCF_SAVE_LCOMP |
-               (req->posix_pathnames ? UCF_POSIX_PATHNAMES :
-                UCF_COND_ALLOW_WCARD_LCOMP);
+       uint32_t src_ucf_flags = ucf_flags_from_smb_request(req) |
+               (req->posix_pathnames ?
+                       UCF_UNIX_NAME_LOOKUP :
+                       UCF_COND_ALLOW_WCARD_LCOMP);
+       uint32_t dst_ucf_flags = ucf_flags_from_smb_request(req) |
+               UCF_SAVE_LCOMP |
+               (req->posix_pathnames ?
+                       0 :
+                       UCF_COND_ALLOW_WCARD_LCOMP);
        bool stream_rename = false;
 
        START_PROFILE(SMBmv);
@@ -7337,9 +7386,9 @@ void reply_mv(struct smb_request *req)
 
        status = filename_convert(ctx,
                                  conn,
-                                 req->flags2 & FLAGS2_DFS_PATHNAMES,
                                  name,
                                  src_ucf_flags,
+                                 NULL,
                                  &src_has_wcard,
                                  &smb_fname_src);
 
@@ -7355,9 +7404,9 @@ void reply_mv(struct smb_request *req)
 
        status = filename_convert(ctx,
                                  conn,
-                                 req->flags2 & FLAGS2_DFS_PATHNAMES,
                                  newname,
                                  dst_ucf_flags,
+                                 NULL,
                                  &dest_has_wcard,
                                  &smb_fname_dst);
 
@@ -7609,9 +7658,9 @@ void reply_copy(struct smb_request *req)
        bool dest_has_wild = False;
        NTSTATUS status;
        uint32_t ucf_flags_src = UCF_COND_ALLOW_WCARD_LCOMP |
-               (req->posix_pathnames ? UCF_POSIX_PATHNAMES : 0);
+               ucf_flags_from_smb_request(req);
        uint32_t ucf_flags_dst = UCF_COND_ALLOW_WCARD_LCOMP |
-               (req->posix_pathnames ? UCF_POSIX_PATHNAMES : 0);
+               ucf_flags_from_smb_request(req);
        TALLOC_CTX *ctx = talloc_tos();
 
        START_PROFILE(SMBcopy);
@@ -7649,9 +7698,9 @@ void reply_copy(struct smb_request *req)
        }
 
        status = filename_convert(ctx, conn,
-                                 req->flags2 & FLAGS2_DFS_PATHNAMES,
                                  fname_src,
                                  ucf_flags_src,
+                                 NULL,
                                  &source_has_wild,
                                  &smb_fname_src);
        if (!NT_STATUS_IS_OK(status)) {
@@ -7665,9 +7714,9 @@ void reply_copy(struct smb_request *req)
        }
 
        status = filename_convert(ctx, conn,
-                                 req->flags2 & FLAGS2_DFS_PATHNAMES,
                                  fname_dst,
                                  ucf_flags_dst,
+                                 NULL,
                                  &dest_has_wild,
                                  &smb_fname_dst);
        if (!NT_STATUS_IS_OK(status)) {
@@ -7764,13 +7813,13 @@ void reply_copy(struct smb_request *req)
                        smb_fname_dst->base_name = fname_dst_mod;
                }
 
-               status = check_name(conn, smb_fname_src->base_name);
+               status = check_name(conn, smb_fname_src);
                if (!NT_STATUS_IS_OK(status)) {
                        reply_nterror(req, status);
                        goto out;
                }
 
-               status = check_name(conn, smb_fname_dst->base_name);
+               status = check_name(conn, smb_fname_dst);
                if (!NT_STATUS_IS_OK(status)) {
                        reply_nterror(req, status);
                        goto out;
@@ -7812,12 +7861,6 @@ void reply_copy(struct smb_request *req)
                        }
                }
 
-               status = check_name(conn, fname_src_dir);
-               if (!NT_STATUS_IS_OK(status)) {
-                       reply_nterror(req, status);
-                       goto out;
-               }
-
                smb_fname_src_dir = synthetic_smb_fname(talloc_tos(),
                                        fname_src_dir,
                                        NULL,
@@ -7828,6 +7871,12 @@ void reply_copy(struct smb_request *req)
                        goto out;
                }
 
+               status = check_name(conn, smb_fname_src_dir);
+               if (!NT_STATUS_IS_OK(status)) {
+                       reply_nterror(req, status);
+                       goto out;
+               }
+
                dir_hnd = OpenDir(ctx,
                                conn,
                                smb_fname_src_dir,
@@ -7901,7 +7950,7 @@ void reply_copy(struct smb_request *req)
                        TALLOC_FREE(smb_fname_dst->base_name);
                        smb_fname_dst->base_name = destname;
 
-                       status = check_name(conn, smb_fname_src->base_name);
+                       status = check_name(conn, smb_fname_src);
                        if (!NT_STATUS_IS_OK(status)) {
                                TALLOC_FREE(dir_hnd);
                                TALLOC_FREE(talloced);
@@ -7909,7 +7958,7 @@ void reply_copy(struct smb_request *req)
                                goto out;
                        }
 
-                       status = check_name(conn, smb_fname_dst->base_name);
+                       status = check_name(conn, smb_fname_dst);
                        if (!NT_STATUS_IS_OK(status)) {
                                TALLOC_FREE(dir_hnd);
                                TALLOC_FREE(talloced);