[Bug 228462] Samba's vfs_streams_xattr triggers corruption of first byte in AFP_AfpInfo stream/xattr

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Thu May 24 14:50:16 UTC 2018 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=228462

            Bug ID: 228462
           Summary: Samba's vfs_streams_xattr triggers corruption of first
                    byte in AFP_AfpInfo stream/xattr
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs at FreeBSD.org
          Reporter: slow at samba.org

The Samba FreeBSD port patch
https://svnweb.freebsd.org/ports/head/net/samba47/files/patch-source3__modules__vfs_streams_xattr.c?revision=464431&view=markup
changes vfs_streams_xattr to not read and write an additional trailing byte (cf
the comment lines containing "// ? -1" in the patch), but when creating a
stream the trailing byte is still stored (cf streams_xattr_open() the code
after the comment "Darn, xattrs need at least 1 byte").

Due to a vicious interaction with a bug that is present in the latest macOS
10.13.4 (not sure about earlier versions) what happens is this:

- the client send a request to create a stream "file:AFP_AfpInfo"

- the server creates the xattr for the stream and writes a 0 byte

- the client sends a request to read 60 bytes at offset 0 from the stream

- the server returns a one byte sized buffer containing a 0 instead of
returning nread=0 and status=NT_STATUS_END_OF_FILE

- the final nail in the coffin is that the client, when writing the AFP_AfpInfo
blob whos first four byte start with a magic string "AFP" takes the 0 byte the
server returned and overwrites the first byte of the magic string

The fix for this twofold: first, we must fix vfs_streams_xattr to not store an
initial zero byte when creating an xattr. Second, we must prepare vfs_fruit to
allow such broken AFP_AfpInfo blobs, otherwise users who adding vfs_fruit run
into the issue that vfs_fruit has a builtin check for the magic string...

Have patch, need bug number...

Fwiw, this is a bug only present in the FreeBSD Samba port.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list