From: Ralph Boehme Date: Mon, 8 Jun 2026 12:12:14 +0000 (+0200) Subject: smbd: check the return value before the ACE-lists out args X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4cc867cc6fe1afef85b7f88b55e4c8e0058fc7a4;p=thirdparty%2Fsamba.git smbd: check the return value before the ACE-lists out args If unpack_canon_ace() fails and returns false, file_ace_list and dir_ace_list will be left at their initial NULL values, so we exit out at if (!file_ace_list && !dir_ace_list) { return NT_STATUS_OK; } instead of at the subsequent error checking code for acl_perms. This subtle change was introduced by commit 81533e2d39cae11b7ea06f289a7c398ed3c51da9 and causes attempts to set an non-canonical ACL by clients to return NT_STATUS_OK, instead of failing with NT_STATUS_ACCESS_DENIED. BUG: https://bugzilla.samba.org/show_bug.cgi?id=16097 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Fri Jun 26 12:50:29 UTC 2026 on atb-devel-224 --- diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls deleted file mode 100644 index 23c3f31c82a..00000000000 --- a/selftest/knownfail.d/samba3.smb2.acls +++ /dev/null @@ -1 +0,0 @@ -^samba3.smb2.acls.NON-CANONICAL-ORDER\(.*\) diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index 9baf3a72c30..d37c7c364bc 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -3691,12 +3691,6 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct acl_perms = unpack_canon_ace(fsp, &fsp->fsp_name->st, &file_owner_sid, &file_grp_sid, &file_ace_list, &dir_ace_list, security_info_sent, psd); - - /* Ignore W2K traverse DACL set. */ - if (!file_ace_list && !dir_ace_list) { - return NT_STATUS_OK; - } - if (!acl_perms) { DEBUG(3,("set_nt_acl: cannot set permissions\n")); free_canon_ace_list(file_ace_list); @@ -3704,6 +3698,11 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct return NT_STATUS_ACCESS_DENIED; } + /* Ignore W2K traverse DACL set. */ + if (!file_ace_list && !dir_ace_list) { + return NT_STATUS_OK; + } + /* * Only change security if we got a DACL. */