From: Ralph Boehme <slow@samba.org>
Date: Tue, 24 Nov 2020 15:16:10 +0000 (+0100)
Subject: vfs_xattr_tdb: don't leak the fd into the caller
X-Git-Tag: samba-4.14.0rc1~333
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4bcb3d7a03db4c3346bcb4cb62752aa9930cd3b4;p=thirdparty%2Fsamba.git

vfs_xattr_tdb: don't leak the fd into the caller

This is subtle: generally fsp_set_fd(fd) is called in the caller of
SMB_VFS_OPENAT() in non_widelink_open().

fsp_set_fd() has a check that asserts certain combindations of the existing
fsp->fh->fd and the new fd. Both being valid fds is not allowed.

Therefor inside the VFS we must reset fsp->fh->fd if we've set it.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---

diff --git a/source3/modules/vfs_xattr_tdb.c b/source3/modules/vfs_xattr_tdb.c
index 67b1a120b3b..ea4e6607b4e 100644
--- a/source3/modules/vfs_xattr_tdb.c
+++ b/source3/modules/vfs_xattr_tdb.c
@@ -515,7 +515,6 @@ static int xattr_tdb_openat(struct vfs_handle_struct *handle,
 	if (fd == -1) {
 		return -1;
 	}
-	fsp_set_fd(fsp, fd);
 
 	if ((flags & (O_CREAT|O_EXCL)) != (O_CREAT|O_EXCL)) {
 		return fd;
@@ -526,7 +525,9 @@ static int xattr_tdb_openat(struct vfs_handle_struct *handle,
 	 * We must have created the file.
 	 */
 
+	fsp_set_fd(fsp, fd);
 	ret = SMB_VFS_FSTAT(fsp, &sbuf);
+	fsp_set_fd(fsp, -1);
 	if (ret == -1) {
 		/* Can't happen... */
 		DBG_WARNING("SMB_VFS_FSTAT failed on file %s (%s)\n",