git.openafs.org Git - openafs.git/commit

Windows: Prevent pioctl races from crashing afsd_service

The SMB redirector will permit two processes to open the
pioctl file at the same time without giving SMB server an
opportunity to say 'no'.  As a result multiple reads and writes
on the allocated smb_fid->ioctl can play havoc with the pioctl
state.  Since afsd_service doesn't know the writes and reads
are coming from separate requests there is nothing it can do
to prevent incorrect data going to the wrong process.  However,
it can (and should) protect itself when the state becomes invalid.

Two prevention methods are applied:

1. add an additional state flag that explicitly indicates
    when the ioctl is in the dataout state

2. validate the length of data in the ioctl input or
    output buffers before copying it.  If the length
    becomes negative, return a CM_ERROR_INVAL error.

In addition, when the invalid state results in a failure to
to find a matching pioctl function do not return CM_ERROR_BADOP.
CM_ERROR_BADOP can only be returned if the SMB operation is not
supported.  Returning it in response to a ReadFile request will
cause the SMB client to drop the connection.

Finally, fix smb_FindFID to prevent the same 'fid' from being
used for more than one open file.

LICENSE MIT

Reviewed-on: http://gerrit.openafs.org/407
Reviewed-by: Jeffrey Altman <jaltman@openafs.org>
Tested-by: Jeffrey Altman <jaltman@openafs.org>

author	Jeffrey Altman <jaltman@secure-endpoints.com>
	Sun, 6 Sep 2009 19:25:42 +0000 (15:25 -0400)
committer	Jeffrey Altman <jaltman\|account-1000011@unknown>
	Tue, 8 Sep 2009 17:22:50 +0000 (10:22 -0700)
commit	7e91d071f007c3be74dce800c38b0ac980465df0
tree	c2b9c7521ddb32eecc381c32cf7f6c80b7ea499e	tree \| snapshot
parent	96ebb6df31ad300680d4a1dd7d04a714f54a22b5	commit \| diff

src/WINNT/afsd/cm_ioctl.h		diff \| blob \| history
src/WINNT/afsd/smb.c		diff \| blob \| history
src/WINNT/afsd/smb3.c		diff \| blob \| history
src/WINNT/afsd/smb_ioctl.c		diff \| blob \| history