1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
From e7662921b82d331fa79fa503e3dd3c7ceed25026 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 6 Jun 2023 15:17:26 +0200
Subject: [PATCH 11/21] CVE-2023-34968: mdssvc: cache and reuse stat info in
struct sl_inode_path_map
Prepare for the "path" being a fake path and not the real server-side
path where we won't be able to vfs_stat_fsp() this fake path. Luckily we already
got stat info for the object in mds_add_result() so we can just pass stat info
from there.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
source3/rpc_server/mdssvc/mdssvc.c | 26 +++++++-------------------
source3/rpc_server/mdssvc/mdssvc.h | 1 +
2 files changed, 8 insertions(+), 19 deletions(-)
diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c
index b04a80c37ba..32380bf904a 100644
--- a/source3/rpc_server/mdssvc/mdssvc.c
+++ b/source3/rpc_server/mdssvc/mdssvc.c
@@ -445,7 +445,10 @@ static int ino_path_map_destr_cb(struct sl_inode_path_map *entry)
* entries by calling talloc_free() on the query slq handles.
**/
-static bool inode_map_add(struct sl_query *slq, uint64_t ino, const char *path)
+static bool inode_map_add(struct sl_query *slq,
+ uint64_t ino,
+ const char *path,
+ struct stat_ex *st)
{
NTSTATUS status;
struct sl_inode_path_map *entry;
@@ -492,6 +495,7 @@ static bool inode_map_add(struct sl_query *slq, uint64_t ino, const char *path)
entry->ino = ino;
entry->mds_ctx = slq->mds_ctx;
+ entry->st = *st;
entry->path = talloc_strdup(entry, path);
if (entry->path == NULL) {
DEBUG(1, ("talloc failed\n"));
@@ -633,7 +637,7 @@ bool mds_add_result(struct sl_query *slq, const char *path)
return false;
}
- ok = inode_map_add(slq, ino64, path);
+ ok = inode_map_add(slq, ino64, path, &sb);
if (!ok) {
DEBUG(1, ("inode_map_add error\n"));
slq->state = SLQ_STATE_ERROR;
@@ -1350,23 +1354,7 @@ static bool slrpc_fetch_attributes(struct mds_ctx *mds_ctx,
elem = talloc_get_type_abort(p, struct sl_inode_path_map);
path = elem->path;
- smb_fname = synthetic_smb_fname(talloc_tos(),
- path,
- NULL,
- NULL,
- 0,
- 0);
- if (smb_fname == NULL) {
- DBG_ERR("synthetic_smb_fname() failed\n");
- goto error;
- }
-
- result = SMB_VFS_STAT(mds_ctx->conn, smb_fname);
- if (result != 0) {
- goto error;
- }
-
- sp = &smb_fname->st;
+ sp = &elem->st;
}
ok = add_filemeta(mds_ctx, reqinfo, fm_array, path, sp);
diff --git a/source3/rpc_server/mdssvc/mdssvc.h b/source3/rpc_server/mdssvc/mdssvc.h
index 392482767dd..a09799130f5 100644
--- a/source3/rpc_server/mdssvc/mdssvc.h
+++ b/source3/rpc_server/mdssvc/mdssvc.h
@@ -105,6 +105,7 @@ struct sl_inode_path_map {
struct mds_ctx *mds_ctx;
uint64_t ino;
char *path;
+ struct stat_ex st;
};
/* Per process state */
--
2.41.0
|