diff options
| author | Stefan Metzmacher <metze@samba.org> | 2021-07-05 17:17:30 +0200 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2021-07-06 11:08:43 +0000 |
| commit | 00bab5b3c821f272153a25ded9743460887a7907 (patch) | |
| tree | 36d3d8e14e873d30d14a488d5f5f12efe7ed4d76 | |
| parent | 7c3bb491baf7d6f10760fb42b34a990e3806df9c (diff) | |
| download | samba-00bab5b3c821f272153a25ded9743460887a7907.tar.gz | |
smbXsrv_{open,session,tcon}: protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records
I saw systems with locking.tdb records being part of:
ctdb catdb smbXsrv_tcon_global.tdb
It's yet unknown how that happened, but we should not panic in srvsvc_*
calls because the info0 pointer was NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14752
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jul 6 11:08:43 UTC 2021 on sn-devel-184
| -rw-r--r-- | source3/smbd/smbXsrv_open.c | 9 | ||||
| -rw-r--r-- | source3/smbd/smbXsrv_session.c | 7 | ||||
| -rw-r--r-- | source3/smbd/smbXsrv_tcon.c | 7 |
3 files changed, 23 insertions, 0 deletions
diff --git a/source3/smbd/smbXsrv_open.c b/source3/smbd/smbXsrv_open.c index b6ea51a5f66..2b9e52ed2af 100644 --- a/source3/smbd/smbXsrv_open.c +++ b/source3/smbd/smbXsrv_open.c @@ -1645,6 +1645,15 @@ static NTSTATUS smbXsrv_open_global_parse_record(TALLOC_CTX *mem_ctx, goto done; } + if (global_blob.info.info0 == NULL) { + status = NT_STATUS_INTERNAL_DB_CORRUPTION; + DEBUG(1,("Invalid record in smbXsrv_tcon_global.tdb:" + "key '%s' info0 NULL pointer - %s\n", + hex_encode_talloc(frame, key.dptr, key.dsize), + nt_errstr(status))); + goto done; + } + *global = talloc_move(mem_ctx, &global_blob.info.info0); status = NT_STATUS_OK; done: diff --git a/source3/smbd/smbXsrv_session.c b/source3/smbd/smbXsrv_session.c index 0a4827519d1..eafee5dac72 100644 --- a/source3/smbd/smbXsrv_session.c +++ b/source3/smbd/smbXsrv_session.c @@ -2425,6 +2425,13 @@ static int smbXsrv_session_global_traverse_fn(struct db_record *rec, void *data) goto done; } + if (global_blob.info.info0 == NULL) { + DEBUG(1,("Invalid record in smbXsrv_tcon_global.tdb:" + "key '%s' info0 NULL pointer\n", + hex_encode_talloc(frame, key.dptr, key.dsize))); + goto done; + } + global_blob.info.info0->db_rec = rec; ret = state->fn(global_blob.info.info0, state->private_data); done: diff --git a/source3/smbd/smbXsrv_tcon.c b/source3/smbd/smbXsrv_tcon.c index 938eb7ab162..6b105522855 100644 --- a/source3/smbd/smbXsrv_tcon.c +++ b/source3/smbd/smbXsrv_tcon.c @@ -1209,6 +1209,13 @@ static int smbXsrv_tcon_global_traverse_fn(struct db_record *rec, void *data) goto done; } + if (global_blob.info.info0 == NULL) { + DEBUG(1,("Invalid record in smbXsrv_tcon_global.tdb:" + "key '%s' info0 NULL pointer\n", + hex_encode_talloc(frame, key.dptr, key.dsize))); + goto done; + } + global_blob.info.info0->db_rec = rec; ret = state->fn(global_blob.info.info0, state->private_data); done: |