[Bug 228462] Samba's vfs_streams_xattr triggers corruption of first byte in AFP_AfpInfo stream/xattr
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Thu May 24 14:50:16 UTC 2018
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=228462
Bug ID: 228462
Summary: Samba's vfs_streams_xattr triggers corruption of first
byte in AFP_AfpInfo stream/xattr
Product: Ports & Packages
Version: Latest
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: Individual Port(s)
Assignee: ports-bugs at FreeBSD.org
Reporter: slow at samba.org
The Samba FreeBSD port patch
https://svnweb.freebsd.org/ports/head/net/samba47/files/patch-source3__modules__vfs_streams_xattr.c?revision=464431&view=markup
changes vfs_streams_xattr to not read and write an additional trailing byte (cf
the comment lines containing "// ? -1" in the patch), but when creating a
stream the trailing byte is still stored (cf streams_xattr_open() the code
after the comment "Darn, xattrs need at least 1 byte").
Due to a vicious interaction with a bug that is present in the latest macOS
10.13.4 (not sure about earlier versions) what happens is this:
- the client send a request to create a stream "file:AFP_AfpInfo"
- the server creates the xattr for the stream and writes a 0 byte
- the client sends a request to read 60 bytes at offset 0 from the stream
- the server returns a one byte sized buffer containing a 0 instead of
returning nread=0 and status=NT_STATUS_END_OF_FILE
- the final nail in the coffin is that the client, when writing the AFP_AfpInfo
blob whos first four byte start with a magic string "AFP" takes the 0 byte the
server returned and overwrites the first byte of the magic string
The fix for this twofold: first, we must fix vfs_streams_xattr to not store an
initial zero byte when creating an xattr. Second, we must prepare vfs_fruit to
allow such broken AFP_AfpInfo blobs, otherwise users who adding vfs_fruit run
into the issue that vfs_fruit has a builtin check for the magic string...
Have patch, need bug number...
Fwiw, this is a bug only present in the FreeBSD Samba port.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ports-bugs
mailing list