OpenAFS Master Repository branch, master, updated. openafs-devel-1_5_62-33-g7e91d07
Gerrit Code Review
gerrit@openafs.org
Tue, 8 Sep 2009 10:23:10 -0700 (PDT)
The following commit has been merged in the master branch:
commit 7e91d071f007c3be74dce800c38b0ac980465df0
Author: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Sun Sep 6 15:25:42 2009 -0400
Windows: Prevent pioctl races from crashing afsd_service
The SMB redirector will permit two processes to open the
pioctl file at the same time without giving SMB server an
opportunity to say 'no'. As a result multiple reads and writes
on the allocated smb_fid->ioctl can play havoc with the pioctl
state. Since afsd_service doesn't know the writes and reads
are coming from separate requests there is nothing it can do
to prevent incorrect data going to the wrong process. However,
it can (and should) protect itself when the state becomes invalid.
Two prevention methods are applied:
1. add an additional state flag that explicitly indicates
when the ioctl is in the dataout state
2. validate the length of data in the ioctl input or
output buffers before copying it. If the length
becomes negative, return a CM_ERROR_INVAL error.
In addition, when the invalid state results in a failure to
to find a matching pioctl function do not return CM_ERROR_BADOP.
CM_ERROR_BADOP can only be returned if the SMB operation is not
supported. Returning it in response to a ReadFile request will
cause the SMB client to drop the connection.
Finally, fix smb_FindFID to prevent the same 'fid' from being
used for more than one open file.
LICENSE MIT
Reviewed-on: http://gerrit.openafs.org/407
Reviewed-by: Jeffrey Altman <jaltman@openafs.org>
Tested-by: Jeffrey Altman <jaltman@openafs.org>
src/WINNT/afsd/cm_ioctl.h | 1 +
src/WINNT/afsd/smb.c | 30 ++++++++++++++++++++++--------
src/WINNT/afsd/smb3.c | 2 +-
src/WINNT/afsd/smb_ioctl.c | 42 ++++++++++++++++++++++++++++++++----------
4 files changed, 56 insertions(+), 19 deletions(-)
--
OpenAFS Master Repository