Combination patch back port of :

    Fix bug #5460. The problem is RHEL5.0 shipped a CIFS client
    that sets the DFS bit on pathnames but doesn't
    send DFS paths. This causes lookups to fail as
    the smbd/msdfs.c code now just eats the first
    two parts of the pathname and uses the rest as
    the local path. The previous hostname check
    used to protect us from that as we knew that
    when the hostname was invalid it was a local
    path (and a broken client).
    I didn't want to put that check back in, but
    came up with another idea - even though the
    hostname can be a different one, the sharename
    must be valid on this machine. So we can check
    for a valid sharename instead.

    Second part of patch for bug #5460. Cope with pathnames
    that don't look like \xxx\yyy, cope with arbitrary length.
    Jeremy.

    Fix debug message.
    Jeremy.

2 files changed, 62 insertions, 10 deletions

diff --git a/source/smbd/conn.c b/source/smbd/conn.c
index 282a82ce049..bd1f49032b9 100644
--- a/source/smbd/conn.c
+++ b/source/smbd/conn.c
@@ -64,10 +64,10 @@ BOOL conn_snum_used(int snum)
 	return(False);
 }
 
-
 /****************************************************************************
-find a conn given a cnum
+ Find a conn given a cnum.
 ****************************************************************************/
+
 connection_struct *conn_find(unsigned cnum)
 {
 	int count=0;
@@ -85,6 +85,27 @@ connection_struct *conn_find(unsigned cnum)
 	return NULL;
 }
 
+/****************************************************************************
+ Find a conn given a service name.
+****************************************************************************/
+
+connection_struct *conn_find_byname(const char *service)
+{
+	int count=0;
+	connection_struct *conn;
+
+	for (conn=Connections;conn;conn=conn->next,count++) {
+		if (strequal(lp_servicename(SNUM(conn)),service)) {
+			if (count > 10) {
+				DLIST_PROMOTE(Connections, conn);
+			}
+			return conn;
+		}
+	}
+
+	return NULL;
+}
+
 
 /****************************************************************************
   find first available connection slot, starting from a random position.
diff --git a/source/smbd/msdfs.c b/source/smbd/msdfs.c
index 982d0ae5905..e89f24a28b4 100644
--- a/source/smbd/msdfs.c
+++ b/source/smbd/msdfs.c
@@ -46,7 +46,7 @@ static NTSTATUS parse_dfs_path(const char *pathname,
 				BOOL *ppath_contains_wcard)
 {
 	pstring pathname_local;
-	char *p,*temp;
+	char *p,*temp, *servicename;
 	NTSTATUS status = NT_STATUS_OK;
 	char sepchar;
 
@@ -107,17 +107,48 @@ static NTSTATUS parse_dfs_path(const char *pathname,
 	DEBUG(10,("parse_dfs_path: hostname: %s\n",pdp->hostname));
 
 	/* Parse out servicename. */
-	temp = p+1;
-	p = strchr_m(temp,sepchar);
+	servicename = p+1;
+	p = strchr_m(servicename,sepchar);
+	if (p) {
+		*p = '\0';
+	}
+
+	/* Is this really our servicename ? */
+	if (NULL == conn_find_byname(servicename)) {
+		DEBUG(10,("parse_dfs_path: %s is not our servicename\n",
+			servicename));
+
+		/*
+		 * Possibly client sent a local path by mistake.
+		 * Try and convert to a local path.
+		 */
+
+		pdp->hostname[0] = '\0';
+		pdp->servicename[0] = '\0';
+
+		/* Repair the path - replace the sepchar's
+		   we nulled out */
+		servicename--;
+		*servicename = sepchar;
+		if (p) {
+			*p = sepchar;
+		}
+
+		p = temp;
+		DEBUG(10,("parse_dfs_path: trying to convert %s "
+			"to a local path\n",
+			temp));
+		goto local_path;
+	}
+
+	fstrcpy(pdp->servicename,servicename);
+
+	DEBUG(10,("parse_dfs_path: servicename: %s\n",pdp->servicename));
+
 	if(p == NULL) {
-		fstrcpy(pdp->servicename,temp);
 		pdp->reqpath[0] = '\0';
 		return NT_STATUS_OK;
 	}
-	*p = '\0';
-	fstrcpy(pdp->servicename,temp);
-	DEBUG(10,("parse_dfs_path: servicename: %s\n",pdp->servicename));
-
 	p++;
 
   local_path: