From 9b5b63870f7f0e0a5f89f14515529a9fdbfdb879 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 10 Jul 2025 16:48:22 +0200 Subject: [PATCH] smbd: implement session check from MS-SMB2 3.3.5.9 Receiving an SMB2 CREATE Request If the server implements the SMB 3.x dialect family and all of the following conditions are TRUE, the server MUST look up an Open in GlobalOpenTable where Open.IsReplayEligible is TRUE and Open.CreateGuid matches the CreateGuid in the SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2 create context and Open.ClientGuid matches the ClientGuid of the connection that received this request: ... If an Open is found, the server MUST perform the following: ... If Open.Session.SessionId is not equal to the current Session.SessionId, the server MUST fail the request with STATUS_DUPLICATE_OBJECTID. Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher --- selftest/knownfail.d/samba3.smb2.replay | 1 - source3/smbd/smb2_create.c | 1 + source3/smbd/smbXsrv_open.c | 8 +++++++- source3/smbd/smbXsrv_open.h | 1 + 4 files changed, 9 insertions(+), 2 deletions(-) diff --git a/selftest/knownfail.d/samba3.smb2.replay b/selftest/knownfail.d/samba3.smb2.replay index c1d524dbe2e..e2c3d908539 100644 --- a/selftest/knownfail.d/samba3.smb2.replay +++ b/selftest/knownfail.d/samba3.smb2.replay @@ -1,4 +1,3 @@ ^samba3.smb2.replay.durable-reconnect-replay1\(nt4_dc\) -^samba3.smb2.replay.durable-reconnect-replay2\(nt4_dc\) ^samba3.smb2.replay.durable-reconnect-replay3\(nt4_dc\) ^samba3.smb2.replay.replay-twice-durable\(nt4_dc\) diff --git a/source3/smbd/smb2_create.c b/source3/smbd/smb2_create.c index 8412622e6cb..f6b49a0f96b 100644 --- a/source3/smbd/smb2_create.c +++ b/source3/smbd/smb2_create.c @@ -1453,6 +1453,7 @@ static void smbd_smb2_cc_before_exec_dhc2q(struct tevent_req *req) } status = smb2srv_open_lookup_replay_cache(smb2req->xconn, + smb2req->session, *state->create_guid, state->fname, now, diff --git a/source3/smbd/smbXsrv_open.c b/source3/smbd/smbXsrv_open.c index cd85440e909..fabd8aff889 100644 --- a/source3/smbd/smbXsrv_open.c +++ b/source3/smbd/smbXsrv_open.c @@ -1121,6 +1121,7 @@ NTSTATUS smb2srv_open_lookup(struct smbXsrv_connection *conn, * retry loop on the client. */ NTSTATUS smb2srv_open_lookup_replay_cache(struct smbXsrv_connection *conn, + struct smbXsrv_session *session, struct GUID create_guid, const char *name, NTTIME now, @@ -1221,8 +1222,13 @@ NTSTATUS smb2srv_open_lookup_replay_cache(struct smbXsrv_connection *conn, now, &op); if (NT_STATUS_IS_OK(status)) { + if (op->session->global->session_global_id != + session->global->session_global_id) + { + TALLOC_FREE(frame); + return NT_STATUS_DUPLICATE_OBJECTID; + } DBG_DEBUG("Found local open\n"); - /* * We found an open the caller can reuse. */ diff --git a/source3/smbd/smbXsrv_open.h b/source3/smbd/smbXsrv_open.h index 72752967a78..d6d0ed35105 100644 --- a/source3/smbd/smbXsrv_open.h +++ b/source3/smbd/smbXsrv_open.h @@ -54,6 +54,7 @@ NTSTATUS smb2srv_open_lookup(struct smbXsrv_connection *conn, NTSTATUS smbXsrv_open_purge_replay_cache(struct smbXsrv_client *client, const struct GUID *create_guid); NTSTATUS smb2srv_open_lookup_replay_cache(struct smbXsrv_connection *conn, + struct smbXsrv_session *session, struct GUID create_guid, const char *name, NTTIME now, -- 2.47.3