OpenAFS Master Repository branch, master, updated. openafs-devel-1_5_62-33-g7e91d07

Gerrit Code Review
Tue, 8 Sep 2009 10:23:10 -0700 (PDT)

The following commit has been merged in the master branch:
commit 7e91d071f007c3be74dce800c38b0ac980465df0
Author: Jeffrey Altman <>
Date:   Sun Sep 6 15:25:42 2009 -0400

    Windows: Prevent pioctl races from crashing afsd_service
    The SMB redirector will permit two processes to open the
    pioctl file at the same time without giving SMB server an
    opportunity to say 'no'.  As a result multiple reads and writes
    on the allocated smb_fid->ioctl can play havoc with the pioctl
    state.  Since afsd_service doesn't know the writes and reads
    are coming from separate requests there is nothing it can do
    to prevent incorrect data going to the wrong process.  However,
    it can (and should) protect itself when the state becomes invalid.
    Two prevention methods are applied:
     1. add an additional state flag that explicitly indicates
        when the ioctl is in the dataout state
     2. validate the length of data in the ioctl input or
        output buffers before copying it.  If the length
        becomes negative, return a CM_ERROR_INVAL error.
    In addition, when the invalid state results in a failure to
    to find a matching pioctl function do not return CM_ERROR_BADOP.
    CM_ERROR_BADOP can only be returned if the SMB operation is not
    supported.  Returning it in response to a ReadFile request will
    cause the SMB client to drop the connection.
    Finally, fix smb_FindFID to prevent the same 'fid' from being
    used for more than one open file.
    Reviewed-by: Jeffrey Altman <>
    Tested-by: Jeffrey Altman <>

 src/WINNT/afsd/cm_ioctl.h  |    1 +
 src/WINNT/afsd/smb.c       |   30 ++++++++++++++++++++++--------
 src/WINNT/afsd/smb3.c      |    2 +-
 src/WINNT/afsd/smb_ioctl.c |   42 ++++++++++++++++++++++++++++++++----------
 4 files changed, 56 insertions(+), 19 deletions(-)

OpenAFS Master Repository