From: Ralph Boehme Date: Wed, 7 Jul 2021 09:48:34 +0000 (+0200) Subject: smbd: put back dev/ino stat/fstat check in openat_pathref_fsp() X-Git-Tag: talloc-2.3.3~78 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2c9ae4b78cd0d5a3686e79a7497fd3da9f87a307;p=thirdparty%2Fsamba.git smbd: put back dev/ino stat/fstat check in openat_pathref_fsp() This reverts commit a6df051dd5e8c63f2fdfdb20ee01169d2bdb97dd: "s3: smbd: In openat_pathref_fsp(), just check we're opening the same file type, not dev and inode." The prior changes mean we can go back to checking dev/ino matches. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14756 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison --- diff --git a/source3/smbd/files.c b/source3/smbd/files.c index 85ee0b91b37..35419315565 100644 --- a/source3/smbd/files.c +++ b/source3/smbd/files.c @@ -529,32 +529,18 @@ NTSTATUS openat_pathref_fsp(const struct files_struct *dirfsp, goto fail; } - /* - * As this is an internal open and we don't have any - * locks around, we don't have to mandate the dev and ino - * pair are the same (and in fact not doing so fixes bugs - * when this is called by VFS modules that like to play tricks - * with ino number on stream paths (fruit, and streams_xattr - * are the two that currently do this). - * - * There's no security advantage to checking that, as the - * fd_openat() above ensures this is safe. - */ - if ((S_IFMT & smb_fname->st.st_ex_mode) != (S_IFMT & fsp->fsp_name->st.st_ex_mode)) { - DBG_DEBUG("file [%s] - S_IFMT mismatch. " - "old = 0%o, new = 0%o\n", + if (!check_same_dev_ino(&smb_fname->st, &fsp->fsp_name->st)) { + DBG_DEBUG("file [%s] - dev/ino mismatch. " + "Old (dev=%ju, ino=%ju). " + "New (dev=%ju, ino=%ju).\n", smb_fname_str_dbg(smb_fname), - (unsigned int)(S_IFMT & smb_fname->st.st_ex_mode), - (unsigned int)(S_IFMT & fsp->fsp_name->st.st_ex_mode)); + (uintmax_t)smb_fname->st.st_ex_dev, + (uintmax_t)smb_fname->st.st_ex_ino, + (uintmax_t)fsp->fsp_name->st.st_ex_dev, + (uintmax_t)fsp->fsp_name->st.st_ex_ino); status = NT_STATUS_ACCESS_DENIED; goto fail; } - /* - * fd_openat() has done an FSTAT on the handle - * so update the smb_fname stat info with "truth". - * from the handle. - */ - smb_fname->st = fsp->fsp_name->st; fsp->file_id = vfs_file_id_from_sbuf(conn, &fsp->fsp_name->st);