s3:smbd: fix NULL dereference in case of readlink failure

When VFS readlinkat hook returns with error the following sequence
yields NULL-pointer dereference (SIGSEGV):

  symlink_target_below_conn (source3/smbd/open.c)
    char *target = NULL;
    ...
    readlink_talloc (source3/smbd/files.c)
      SMB_VFS_READLINKAT
        smb_vfs_call_readlinkat (source3/smbd/vfs.c)
          handle->fns->readlinkat_fn --> returns error

  status = safe_symlink_target_path(.., target /* NULL */ ..)
    safe_symlink_target_path (source3/smbd/filename.c)
      if (target[0] == '/') { /* NULL pointer dereference */

A failure in VFS module's readlinkat hook may happen due to run-time
error (e.g., network failure which cases libcephfs to disconnect from
MDS).

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15700
Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: John Mulligan <jmulligan@redhat.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Aug 23 09:27:06 UTC 2024 on atb-devel-224

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index a1c1c259e5c0f14d17b010d37d493cb9eb238958..0e36db0a85efebe3de2dca88e5efb19cbe620607 100644 (file)
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -582,6 +582,10 @@ static NTSTATUS symlink_target_below_conn(
                        talloc_tos(), dirfsp, symlink_name, &target);
        }
 
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
        status = safe_symlink_target_path(talloc_tos(),
                                          connection_path,
                                          dirfsp->fsp_name->base_name,