summaryrefslogtreecommitdiffstats
path: root/source3/smbd
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-06-20 04:07:27 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-06-20 04:07:27 +0000
commit19d0fde1ace012e366182b511c528f7ab6a0ed37 (patch)
tree4b7f31bfcae1f06f2a77dd154508460119172422 /source3/smbd
parentAdding debian version 2:4.20.1+dfsg-5. (diff)
downloadsamba-19d0fde1ace012e366182b511c528f7ab6a0ed37.tar.xz
samba-19d0fde1ace012e366182b511c528f7ab6a0ed37.zip
Merging upstream version 2:4.20.2+dfsg.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/files.c18
-rw-r--r--source3/smbd/globals.h5
-rw-r--r--source3/smbd/smb2_server.c11
-rw-r--r--source3/smbd/smb2_sesssetup.c18
-rw-r--r--source3/smbd/smb2_tcon.c4
5 files changed, 55 insertions, 1 deletions
diff --git a/source3/smbd/files.c b/source3/smbd/files.c
index 6aad76a..42bb323 100644
--- a/source3/smbd/files.c
+++ b/source3/smbd/files.c
@@ -1312,6 +1312,24 @@ next:
}
if (fd == -1) {
+ /*
+ * vfs_widelink widelink_openat will update stat for fsp
+ * and return ELOOP for non-existing link, we can report
+ * the link here and let calling code decide what to do.
+ */
+ if ((errno == ELOOP) && S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
+ status = create_open_symlink_err(mem_ctx,
+ dirfsp,
+ &rel_fname,
+ &symlink_err);
+ if (NT_STATUS_IS_OK(status)) {
+ status = NT_STATUS_STOPPED_ON_SYMLINK;
+ } else {
+ DBG_ERR("read_symlink_reparse failed: %s\n",
+ nt_errstr(status));
+ }
+ goto fail;
+ }
status = map_nt_error_from_unix(errno);
DBG_DEBUG("SMB_VFS_OPENAT() failed: %s\n",
strerror(errno));
diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h
index 4928d1f..a954499 100644
--- a/source3/smbd/globals.h
+++ b/source3/smbd/globals.h
@@ -522,6 +522,11 @@ struct smbXsrv_connection {
} smbtorture;
bool signing_mandatory;
+ /*
+ * This is ConstrainedConnection in MS-SMB2,
+ * but with reversed value...
+ */
+ bool got_authenticated_session;
} smb2;
};
diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index afb86ab..5b83d4d 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -494,6 +494,17 @@ static NTSTATUS smbd_smb2_inbuf_parse_compound(struct smbXsrv_connection *xconn,
goto inval;
}
+ if (!xconn->smb2.got_authenticated_session) {
+ D_INFO("Got SMB2_TRANSFORM header, "
+ "but not no authenticated session yet "
+ "client[%s] server[%s]\n",
+ tsocket_address_string(
+ xconn->remote_address, talloc_tos()),
+ tsocket_address_string(
+ xconn->local_address, talloc_tos()));
+ goto inval;
+ }
+
if (len < SMB2_TF_HDR_SIZE) {
DEBUG(1, ("%d bytes left, expected at least %d\n",
(int)len, SMB2_TF_HDR_SIZE));
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index ac71e55..d3b21ea 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -271,6 +271,13 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
x->global->signing_flags &= ~SMBXSRV_SIGNING_REQUIRED;
/* we map anonymous to guest internally */
guest = true;
+ } else {
+ /*
+ * Remember we got one authenticated session on the connection
+ * in order to allow SMB3 decryption to happen
+ * (sadly even for future anonymous connections).
+ */
+ xconn->smb2.got_authenticated_session = true;
}
if (guest && (x->global->encryption_flags & SMBXSRV_ENCRYPTION_REQUIRED)) {
@@ -288,7 +295,10 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
}
x->global->signing_algo = xconn->smb2.server.sign_algo;
x->global->encryption_cipher = xconn->smb2.server.cipher;
- if (guest) {
+ if (*out_session_flags & SMB2_SESSION_FLAG_IS_GUEST) {
+ /*
+ * A fallback to guest can't do any encryption
+ */
x->global->encryption_cipher = SMB2_ENCRYPTION_NONE;
}
@@ -642,6 +652,12 @@ static NTSTATUS smbd_smb2_bind_auth_return(struct smbXsrv_session *session,
return NT_STATUS_LOGON_FAILURE;
}
+ /*
+ * Remember we got one authenticated session on the connection
+ * in order to allow SMB3 decryption to happen
+ */
+ xconn->smb2.got_authenticated_session = true;
+
*out_session_id = session->global->session_wire_id;
return NT_STATUS_OK;
diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c
index b228036..20d8967 100644
--- a/source3/smbd/smb2_tcon.c
+++ b/source3/smbd/smb2_tcon.c
@@ -331,6 +331,10 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
}
}
+ if (guest_session) {
+ /* make sure we don't ask for optional encryption */
+ encryption_desired = false;
+ }
if (encryption_desired) {
encryption_flags |= SMBXSRV_ENCRYPTION_DESIRED;
}