ports/80288: [PATCH] samba: processing of symlinks broken

Andre Albsmeier andre.albsmeier at siemens.com
Sat Apr 23 16:20:19 UTC 2005 

>Number:         80288
>Category:       ports
>Synopsis:       [PATCH] samba: processing of symlinks broken
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Apr 23 16:20:17 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Andre Albsmeier
>Release:        FreeBSD 4.11-STABLE i386
>Organization:
>Environment:

FreeBSD 4.11-STABLE with samba from ports.
A Winblows system which tries to access symlinks from a share.

>Description:

There are two serious bugs in the code which processes symlinks
in smbd:

1.) The programmer assumed that readlink() would NUL-terminate
    the result (flink). This is fixed with the first part of the
    patch.

2.) In case of a relative symlink, the destination (cleanlink) is
    constructed by concatenating realdir with the link. This is
    wrong, it should be dirname(name) + the link. The second part
    of the patch fixes that.


>How-To-Repeat:

Raise debuglevel to 3 and access symlinks from Winblows. Watch
the messed up filenames due to 1.).
Fix 1.) and try to access relative symlinks from Winblows. These
links must not reside on the toplevel of the share. Watch the
wrongly constructed filnames.


>Fix:

--- source/smbd/vfs.c.ORI	Wed Sep 29 19:37:44 2004
+++ source/smbd/vfs.c	Fri Apr 22 21:11:57 2005
@@ -717,6 +717,7 @@
 	pstring savedir;
 	pstring realdir;
 	size_t reallen;
+	int linklen;
 
 	if (!vfs_GetWd(conn, savedir)) {
 		DEBUG(0,("couldn't vfs_GetWd for %s %s\n", name, dir));
@@ -740,12 +741,16 @@
 		realdir[reallen] = 0;
 	}
 
-	if (conn->vfs_ops.readlink(conn, name, flink, sizeof(pstring) -1) != -1) {
+	if( (linklen = conn->vfs_ops.readlink(conn, name, flink, sizeof(pstring) -1)) != -1 ) {
+		flink[linklen] = '\0';
 		DEBUG(3,("reduce_name: file path name %s is a symlink\nChecking it's path\n", name));
 		if (*flink == '/') {
 			pstrcpy(cleanlink, flink);
 		} else {
-			pstrcpy(cleanlink, realdir);
+			char* cp;
+			pstrcpy( cleanlink, name );
+			if( (cp = strrchr( cleanlink, '/' )) != NULL )
+			  *cp = '\0';
 			pstrcat(cleanlink, "/");
 			pstrcat(cleanlink, flink);
 		}

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list