From andre.albsmeier@siemens.com  Sat Apr 23 16:14:32 2005
Return-Path: <andre.albsmeier@siemens.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 22EAA16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 23 Apr 2005 16:14:32 +0000 (GMT)
Received: from david.siemens.de (david.siemens.de [192.35.17.14])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0C3BC43D31
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 23 Apr 2005 16:14:31 +0000 (GMT)
	(envelope-from andre.albsmeier@siemens.com)
Received: from mail1.siemens.de (mail1.siemens.de [139.23.33.14])
	by david.siemens.de (8.12.6/8.12.6) with ESMTP id j3NGETEs009366
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 23 Apr 2005 18:14:29 +0200
Received: from mars.cert.siemens.com (mars.cert.siemens.com [139.25.19.9])
	by mail1.siemens.de (8.12.6/8.12.6) with ESMTP id j3NGETxw017843
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 23 Apr 2005 18:14:29 +0200
Received: from curry.mchp.siemens.de (curry.mchp.siemens.de [139.25.42.7])
	by mars.cert.siemens.com (8.13.4/8.13.1/$SiemensCERT: mail/cert.mc.pre,v 1.66 2005/02/14 15:55:03 mailadm Exp $) with ESMTP id j3NGETeX066899
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 23 Apr 2005 18:14:29 +0200 (CEST)
	(envelope-from andre@curry.mchp.siemens.de)
Received: (from localhost)
	by curry.mchp.siemens.de (8.13.3/8.13.3) id j3NGET3e023408
	for FreeBSD-gnats-submit@freebsd.org; Sat, 23 Apr 2005 18:14:29 +0200 (CEST)
Message-Id: <200504231614.j3NGETLT027055@curry.mchp.siemens.de>
Date: Sat, 23 Apr 2005 18:14:29 +0200 (CEST)
From: Andre Albsmeier <andre.albsmeier@siemens.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [PATCH] samba: processing of symlinks broken
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         80288
>Category:       ports
>Synopsis:       [PATCH] samba: processing of symlinks broken
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    dinoex
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Apr 23 16:20:17 GMT 2005
>Closed-Date:    Thu Sep 22 15:50:31 CEST 2005
>Last-Modified:  Thu Sep 22 15:50:31 CEST 2005
>Originator:     Andre Albsmeier
>Release:        FreeBSD 4.11-STABLE i386
>Organization:
>Environment:

FreeBSD 4.11-STABLE with samba from ports.
A Winblows system which tries to access symlinks from a share.

>Description:

There are two serious bugs in the code which processes symlinks
in smbd:

1.) The programmer assumed that readlink() would NUL-terminate
    the result (flink). This is fixed with the first part of the
    patch.

2.) In case of a relative symlink, the destination (cleanlink) is
    constructed by concatenating realdir with the link. This is
    wrong, it should be dirname(name) + the link. The second part
    of the patch fixes that.


>How-To-Repeat:

Raise debuglevel to 3 and access symlinks from Winblows. Watch
the messed up filenames due to 1.).
Fix 1.) and try to access relative symlinks from Winblows. These
links must not reside on the toplevel of the share. Watch the
wrongly constructed filnames.


>Fix:

--- source/smbd/vfs.c.ORI	Wed Sep 29 19:37:44 2004
+++ source/smbd/vfs.c	Fri Apr 22 21:11:57 2005
@@ -717,6 +717,7 @@
 	pstring savedir;
 	pstring realdir;
 	size_t reallen;
+	int linklen;
 
 	if (!vfs_GetWd(conn, savedir)) {
 		DEBUG(0,("couldn't vfs_GetWd for %s %s\n", name, dir));
@@ -740,12 +741,16 @@
 		realdir[reallen] = 0;
 	}
 
-	if (conn->vfs_ops.readlink(conn, name, flink, sizeof(pstring) -1) != -1) {
+	if( (linklen = conn->vfs_ops.readlink(conn, name, flink, sizeof(pstring) -1)) != -1 ) {
+		flink[linklen] = '\0';
 		DEBUG(3,("reduce_name: file path name %s is a symlink\nChecking it's path\n", name));
 		if (*flink == '/') {
 			pstrcpy(cleanlink, flink);
 		} else {
-			pstrcpy(cleanlink, realdir);
+			char* cp;
+			pstrcpy( cleanlink, name );
+			if( (cp = strrchr( cleanlink, '/' )) != NULL )
+			  *cp = '\0';
 			pstrcat(cleanlink, "/");
 			pstrcat(cleanlink, flink);
 		}

>Release-Note:
>Audit-Trail:

From: Mark Linimon <linimon@lonesome.com>
To: Andre Albsmeier <andre.albsmeier@siemens.com>
Cc: FreeBSD-gnats-submit@FreeBSD.org,
	<freebsd-ports-bugs@FreeBSD.org>
Subject: Re: ports/80288: [PATCH] samba: processing of symlinks broken
Date: Sat, 23 Apr 2005 13:34:46 -0500 (CDT)

 To which version(s) of the samba port does this patch apply?
 
 

From: Andre Albsmeier <andre.albsmeier@siemens.com>
To: bug-followup@FreeBSD.org, Mark Linimon <linimon@lonesome.com>
Cc:  
Subject: Re: ports/80288: [PATCH] samba: processing of symlinks broken
Date: Sun, 24 Apr 2005 10:59:48 +0200

 > To which version(s) of the samba port does this patch apply?
 
 Well, since I wrote "samba from ports" it must be the one in
 net/samba (2.2.12 at the moment) :-). Don't know if it applies
 to samba3 as well...
 
 BTW, your mail never made it through to me. I just ran across
 it in the audit-trail...
 
 	-Andre
State-Changed-From-To: open->analyzed 
State-Changed-By: dinoex 
State-Changed-When: Thu Sep 22 15:42:44 CEST 2005 
State-Changed-Why:  
I will take care of it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=80288 
Responsible-Changed-From-To: freebsd-ports-bugs->dinoex 
Responsible-Changed-By: dinoex 
Responsible-Changed-When: Thu Sep 22 15:43:16 CEST 2005 
Responsible-Changed-Why:  
I will take care of it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=80288 
State-Changed-From-To: analyzed->closed 
State-Changed-By: dinoex 
State-Changed-When: Thu Sep 22 15:50:18 CEST 2005 
State-Changed-Why:  
committed, thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=80288 
>Unformatted:
