The ktc_GetToken and ktc_ListTokens functions perform a pioctl
and then parse the response data. There is no validation that the
data required is not longer than the pioctl output or that the
data received fits into the data structures that are being written.
As a result, random crashes have occurred when the wrong data
has been received from the pioctl.
This commit adds data validation to at least ensure that these
functions cannot read beyond the data provided or write beyond
the allocated memory.
LICENSE MIT
Reviewed-on: http://gerrit.openafs.org/405
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Reviewed-by: Asanka Herath <asanka@secure-endpoints.com>
Tested-by: Asanka Herath <asanka@secure-endpoints.com>
Reviewed-by: Jeffrey Altman <jaltman@openafs.org>
Tested-by: Jeffrey Altman <jaltman@openafs.org>
Fix a build failure - ubik_client is a struct and not a type
Reviewed-on: http://gerrit.openafs.org/431
Tested-by: Jeffrey Altman <jaltman@openafs.org>
Reviewed-by: Jeffrey Altman <jaltman@openafs.org>
Microsoft compilers version 1500 and above provide secure
versions of ctime and strncpy. Use them in afs_ctime.
Reviewed-on: http://gerrit.openafs.org/408
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Asanka Herath <asanka@secure-endpoints.com>
Reviewed-by: Asanka Herath <asanka@secure-endpoints.com>
Tested-by: Derrick Brashear <shadow@dementia.org>
Reviewed-by: Jeffrey Altman <jaltman@openafs.org>
Rather than setting the compiler to cc on all platforms by default,
use the Autoconf default unless the specific compiler might matter.
Conservatively set the compiler to cc for all non-Linux, non-BSD
operating systems that previously didn't explicitly set it. Fix a
few places on Linux where the compiler was set to gcc explicitly
rather than using the Autoconf result.
Don't bother setting the Linux i386 compiler to gcc -pipe. The compile
performance difference isn't enough to bother with the special
exception, and we don't do this for other Linux systems.
With this change, setting CC at Autoconf time will correctly set the
compiler per the user's preferences unless they're on an operating
system where we care about having a particular compiler for kernel
purposes. This can be relaxed further in the future, particularly if
the kernel compiler is broken out to a separate setting.
Reviewed-on: http://gerrit.openafs.org/337
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Derrick Brashear <shadow@dementia.org>
ka_UserAuthenticateGeneral had code disabled with #ifdef OLDCRUFT to
retry failed authentications by truncating the password to eight
characters, with a comment that the truncating behavior of kpasswd
was disabled in 1990. Nothing references this preprocessor define in
the source tree. Delete the dead code.
Reviewed-on: http://gerrit.openafs.org/336
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Derrick Brashear <shadow@dementia.org>
The SMB redirector will permit two processes to open the
pioctl file at the same time without giving SMB server an
opportunity to say 'no'. As a result multiple reads and writes
on the allocated smb_fid->ioctl can play havoc with the pioctl
state. Since afsd_service doesn't know the writes and reads
are coming from separate requests there is nothing it can do
to prevent incorrect data going to the wrong process. However,
it can (and should) protect itself when the state becomes invalid.
Two prevention methods are applied:
1. add an additional state flag that explicitly indicates
when the ioctl is in the dataout state
2. validate the length of data in the ioctl input or
output buffers before copying it. If the length
becomes negative, return a CM_ERROR_INVAL error.
In addition, when the invalid state results in a failure to
to find a matching pioctl function do not return CM_ERROR_BADOP.
CM_ERROR_BADOP can only be returned if the SMB operation is not
supported. Returning it in response to a ReadFile request will
cause the SMB client to drop the connection.
Finally, fix smb_FindFID to prevent the same 'fid' from being
used for more than one open file.
LICENSE MIT
Reviewed-on: http://gerrit.openafs.org/407
Reviewed-by: Jeffrey Altman <jaltman@openafs.org>
Tested-by: Jeffrey Altman <jaltman@openafs.org>
The fake scache object used for pioctl operations was not
fully initialized. The magic value, data version, and
several locks were not initialized. Do so.
Since the fid of the fake scache object is 0.0.0.0
remove the assert in cm_GetSCache for cell != 0.
Instead simply return CM_ERROR_INVAL.
LICENSE MIT
Reviewed-on: http://gerrit.openafs.org/406
Reviewed-by: Asanka Herath <asanka@secure-endpoints.com>
Tested-by: Asanka Herath <asanka@secure-endpoints.com>
Reviewed-by: Jeffrey Altman <jaltman@openafs.org>
Tested-by: Jeffrey Altman <jaltman@openafs.org>
The Windows pioctl implementation makes an incorrect assumption.
It is not true that every CreateFile() operation results in a
SMB NTCreateX operation being delivered to SMB Server. The SMB
client can combine open requests from multiple processes or threads
onto a single SMB file descriptor and locally manage the operations.
This is a problem for pioctls since the Transceive operation requires
that a WriteFile/ReadFile combination must belong to the same request.
Prior to this change simultaneous pioctl operations would be
combined and the individual reads and writes could overlap resulting
in responses going to the wrong requestor and end of file errors
being received by the others.
Due to lack of data validation in fs.c, ktc_nt.c, symlink.c,
etc random crashes are produced.
This change alters the sharing mode under which the pioctl file is
opened. Instead of FILE_SHARE_READ | FILE_SHARE_WRITE, only
FILE_SHARE_READ is specified to CreateFile(). This ensures that
the CreateFile will fail with a sharing violation if the pioctl
file was previously opened for writing.
A sharing violation check is provided and the CreateFile is retried
indefinitely until the open succeeds or the error is not a sharing
violation.
LICENSE MIT
Reviewed-on: http://gerrit.openafs.org/404
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Asanka Herath <asanka@secure-endpoints.com>
Reviewed-by: Asanka Herath <asanka@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@openafs.org>
Reviewed-by: Jeffrey Altman <jaltman@openafs.org>
smb_FindShareCSCPolicy() ignored the error state of RegCreateKeyEx()
and would pass the uninitialized hkCSCPolicy to RegQueryValueEx()
and RegCloseKey(). While this did not produce invalid results, it
did result in unnecessary operations and exception handling within
the Win32 registry apis.
LICENSE MIT
Reviewed-on: http://gerrit.openafs.org/402
Tested-by: Asanka Herath <asanka@secure-endpoints.com>
Reviewed-by: Asanka Herath <asanka@secure-endpoints.com>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Jeffrey Altman <jaltman@openafs.org>
Reviewed-by: Jeffrey Altman <jaltman@openafs.org>
The uss module relies on MapNetworkToHost / MapHostToNetwork from
src/volser. These functions convert a struct nvldbentry and not
a struct vldbentry. When src/volser was converted to struct nvldbentry
src/uss must have been forgotten.
In uss_vol.c convert GetServerAndPart() to accept a nvldbentry
instead of a vldbentry.
Add two static functions:
* ovlentry_to_nvlentry() to convert from vldbentry to nvldbentry
if required
* uss_vol_GetEntryByID() which first attempts to use
ubik_VL_GetEntryByIDN() and if that is not supported falls
back to ubik_VL_GetEntryByID() and ovlentry_to_nvlentry().
LICENSE MIT
FIXES 125101
Reviewed-on: http://gerrit.openafs.org/377
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Derrick Brashear <shadow@dementia.org>
a label before the end of a loop breaks, which is the case
when AFS_64BIT_CLIENT's not defined (e.g. UKERNEL).
fix it.
Reviewed-on: http://gerrit.openafs.org/410
Tested-by: Derrick Brashear <shadow@dementia.org>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
The identifier AFS_UCRED is intended as a preprocessor alias to
a possibly-opaque credential type. A platform header will normally
rename AFS_UCRED to a platform credential type with #define.
This is not intended to change the meaning of AFS_UCRED, but removes
the assumption that it is a struct type, which may not be true, depending
on the platform and other decisions made by the AFS client port.
Reviewed-on: http://gerrit.openafs.org/397
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Derrick Brashear <shadow@dementia.org>
RXKAD errors were not logged at the point where the errors were
handled. As a result they were never logged.
LICENSE MIT
Reviewed-on: http://gerrit.openafs.org/400
Tested-by: Asanka Herath <asanka@secure-endpoints.com>
Reviewed-by: Asanka Herath <asanka@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@openafs.org>
Reviewed-by: Jeffrey Altman <jaltman@openafs.org>
The attempt to follow the smb protocol specification by returning
extended responses to NTCreateAndX requests (when specified)
resulted in random "invalid parameter" errors from the Explorer
Shell (and common control dialogs) on Vista SP2.
As a result we won't send the extended responses.
LICENSE MIT
Reviewed-on: http://gerrit.openafs.org/399
Tested-by: Asanka Herath <asanka@secure-endpoints.com>
Reviewed-by: Asanka Herath <asanka@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@openafs.org>
Reviewed-by: Jeffrey Altman <jaltman@openafs.org>
In cm_GetCallback the Freelance mode case did not properly
synchronize attempts to fake obtain a callback.
cm_GetCallback also failed to initialize the contents of afsStatus and
volSync which are used as input to cm_MergeStatus.
cm_MergeStatus special cased the freelance root.afs volume root
directory but failed to handle any other freelance volume objects.
As a result it used the contents of the uninitialzed input structures
to populate the status of the object for which the callback was
obtained.
LICENSE MIT
Reviewed-on: http://gerrit.openafs.org/401
Tested-by: Asanka Herath <asanka@secure-endpoints.com>
Reviewed-by: Asanka Herath <asanka@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@openafs.org>
Reviewed-by: Jeffrey Altman <jaltman@openafs.org>
right now the math overflows the 32 bit type for >2tb partitions.
use larger variables to avoid this.
Reviewed-on: http://gerrit.openafs.org/392
Reviewed-by: Matt Benjamin <matt@linuxbox.com>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Tested-by: Derrick Brashear <shadow@dementia.org>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Right now accessDate is simply never updated, so the last access time
for a volume is never reported. Simply update the field in
VBumpVolumeUsage_r, so we track the last time the volume was accessed.
Note that this does not increase disk writes to the volume header; the
performance impact is effectively nil.
Reviewed-on: http://gerrit.openafs.org/385
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Derrick Brashear <shadow@dementia.org>
Adds conditional trace logging to MCAS object cache and supporting GC,
using ViceLog. While in future this should be normalized, it is correct
for both fileserver and volserver, the two programs using MCAS currently.
LICENSE BSD
Reviewed-on: http://gerrit.openafs.org/374
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Derrick Brashear <shadow@dementia.org>
Added a bullet point explaining the use of a Kerberos cross-realm trust and PTS
foreign groups to give foreign users access.
Replaced a reference to Authentication Database with Kerberos Database.
LICENSE BSD
Reviewed-on: http://gerrit.openafs.org/381
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Derrick Brashear <shadow@dementia.org>
Treat a file request for "name::$DATA" as if it were specified as
"name". Otherwise, the inclusion of the colon in the file name
will cause it to be treated as invalid.
LICENSE MIT
Reviewed-on: http://gerrit.openafs.org/395
Reviewed-by: Jeffrey Altman <jaltman@openafs.org>
Tested-by: Jeffrey Altman <jaltman@openafs.org>
The error code returned by rx_Write takes precedence under
all circumstances over the error returned by EndRXAFS_StoreData.
cm_ReleaseBIOD must apply the error code to all buffers in the
BIOD list.
cm_ReleaseBIOD accepts an error code, not a boolean indicating
failure.
Fix a related signed/unsigned error.
FIXES 125351
LICENSE MIT
Reviewed-on: http://gerrit.openafs.org/396
Tested-by: Asanka Herath <asanka@secure-endpoints.com>
Reviewed-by: Asanka Herath <asanka@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@openafs.org>
Reviewed-by: Jeffrey Altman <jaltman@openafs.org>
Removed the reference to the Authentication Server and added a reference to the Kerberos Server and Kerberos 5 authentication for foreign clients.
Replaced AFS Product Support with the AFS registrar as the maintainer of the
public CellServDB file. A link was added to grand.central.org for getting the
latest copy of the file and submitting changes for the local site.
Reviewed-on: http://gerrit.openafs.org/379
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Derrick Brashear <shadow@dementia.org>
The size of sres_hdr is sizeof(sres_hdr), not sizeof(sres).
Reviewed-on: http://gerrit.openafs.org/393
Tested-by: Derrick Brashear <shadow@dementia.org>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Remove the conditional and Autoconf flag for enabling BosConfig.new
handling and change bosserver to always rename BosConfig.new to BosConfig
on startup if the former exists.
Document BosConfig.new handling in the bosserver and BosConfig man pages.
Tone down the warning about the BosConfig file format changing and warn
that bosserver rewrites BosConfig when shutting down.
Reviewed-on: http://gerrit.openafs.org/211
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Derrick Brashear <shadow@dementia.org>
Right now, when the fileserver shuts down, it tries to cancel any
demand-salvages in progress. This causes the fileserver to hang, since
during shutdown, the salvageserver may already be gone. This avoids
cancelling in-progress salvages, and allows salvages to continue after
the fileserver has shut down.
To do this, the salvageserver now closes SALVSYNC sockets in spawned
children, so the children don't get SALVSYNC requests directed at them,
since they can't handle them. The salvageserver also now periodically
scans for logs of salvaging children that have terminated, and
incorporates them into SalsrvLog, just like it does for it's own
children. The salvageserver children that actually perform salvages now
also set the inUse volume header field to their programType, so the
fileserver knows not to schedule new salvages for that volume in the
event of a fileserver restart during a salvage.
FIXES 124486
Reviewed-on: http://gerrit.openafs.org/279
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Derrick Brashear <shadow@dementia.org>
The tracked amount of disk cache used by a client can be incorrect when
afs_fsfragsize is tuned to below 1023. Since we round up to the next
nearest afs_fsfragsize+1 then round down to the kb, if afs_fsfragsize+1
< 1kb, we can undershoot the cache usage.
This enforces afs_fsfragsize to always be at least 1023.
Reviewed-on: http://gerrit.openafs.org/338
Tested-by: Derrick Brashear <shadow@dementia.org>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Added text about Freelance Mode and Dynamric Root Mode and the changes they
cause when dealing with mounts to foreign cells in /afs and \\AFS
Reviewed-on: http://gerrit.openafs.org/380
Reviewed-by: Jeffrey Altman <jaltman@openafs.org>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Derrick Brashear <shadow@dementia.org>
The type "ViceFid" is just a clone of the type AFSFid and used only in a couple of places.
Thus, for simplicity, rename all occurences of ViceFid to AFSFid and remove the
typedef itself.
Reviewed-on: http://gerrit.openafs.org/383
Tested-by: Jeffrey Altman <jaltman@openafs.org>
Reviewed-by: Jeffrey Altman <jaltman@openafs.org>
Tested-by: Derrick Brashear <shadow@dementia.org>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
For some reason specifying a unique GUID for each open
file based on the cm_fid results in cygwin apps being
unable to read from AFS. ReadFile() calls fail with
Invalid Device Request errors instead.
While fixing that issue discovered that not all of the
data was properly set for QueryPathInfoAll operations.
LICENSE MIT
Reviewed-on: http://gerrit.openafs.org/388
Tested-by: Asanka Herath <asanka@secure-endpoints.com>
Reviewed-by: Asanka Herath <asanka@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@openafs.org>
Reviewed-by: Jeffrey Altman <jaltman@openafs.org>
Ensure that the index variable used to walk the fid history
of the current evaluated path is always initialized.
LICENSE MIT
Reviewed-on: http://gerrit.openafs.org/389
Tested-by: Asanka Herath <asanka@secure-endpoints.com>
Reviewed-by: Asanka Herath <asanka@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@openafs.org>
Reviewed-by: Jeffrey Altman <jaltman@openafs.org>
The previous fix prevented a null pointer dereference but
forgot to set 'effDomain' to the domain specified by the
caller if it exists and is not the local machine name.
LICENSE MIT
FIXES 125325
Reviewed-on: http://gerrit.openafs.org/390
Tested-by: Asanka Herath <asanka@secure-endpoints.com>
Reviewed-by: Asanka Herath <asanka@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@openafs.org>
Reviewed-by: Jeffrey Altman <jaltman@openafs.org>
The appropriate mkdir -p was missing for this case, the patch adds it.
Reviewed-on: http://gerrit.openafs.org/387
Tested-by: Derrick Brashear <shadow@dementia.org>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
This creates dependency on ktc_newpag, which has been determined to be
obsolete.
Reviewed-on: http://gerrit.openafs.org/384
Tested-by: Derrick Brashear <shadow@dementia.org>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
This seems to be a required step, going forward. Omitting breaks pam,
for example.
Reviewed-on: http://gerrit.openafs.org/382
Tested-by: Derrick Brashear <shadow@dementia.org>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Fixed the tokens update on preference pane if operation is made with NSStatusItem.
Has been updated the src/packaging/MacOS/.gitingore for CellServDB file and src/libafs/.gitignore has been added afs.x86_darwin_100.plist.
Reviewed-on: http://gerrit.openafs.org/372
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Derrick Brashear <shadow@dementia.org>
Fixed a typo in the asetkey man page.
Reviewed-on: http://gerrit.openafs.org/373
Tested-by: Derrick Brashear <shadow@dementia.org>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
-kext was added in later xcodes; it's safer to just assume we don't
have it.
Reviewed-on: http://gerrit.openafs.org/365
Tested-by: Derrick Brashear <shadow@dementia.org>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
The SMB server does not support streams. When replying to
NT Create operations with extended responses report that
there are no streams. In addition, add support for Query
Path/File Stream Information and return only the null stream.
Correct the 'totalData' response field in several places
within Trans2QPathInfo and Trans2QFileInfo.
Return CM_ERROR_BADOP for SMB NT Transact operations that
are not supported instead of CM_ERROR_INVAL.
LICENSE MIT
Reviewed-on: http://gerrit.openafs.org/347
Tested-by: Asanka Herath <asanka@secure-endpoints.com>
Reviewed-by: Asanka Herath <asanka@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@openafs.org>
Reviewed-by: Jeffrey Altman <jaltman@openafs.org>
The file format is a single line containing one or more realms
separated by white space.
LICENSE BSD
Reviewed-on: http://gerrit.openafs.org/352
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Derrick Brashear <shadow@dementia.org>
how panics get reported changed in 10.6. also, the 64 bit universal kext
means we don't know what the last boot was.
Reviewed-on: http://gerrit.openafs.org/353
Tested-by: Derrick Brashear <shadow@dementia.org>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
NSUInteger is newer than what's included in the 10.4 SDK. restore
functionality for 10.4
Reviewed-on: http://gerrit.openafs.org/349
Tested-by: Derrick Brashear <shadow@dementia.org>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
support 64 bit userland with 32 bit kernel, and
32 and 64 bit userland with 64 kit kernel
Reviewed-on: http://gerrit.openafs.org/343
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Derrick Brashear <shadow@dementia.org>
if we redefine the names of all xdr_ functions, the same must be done
for xdr_alloc and xdr_free
Reviewed-on: http://gerrit.openafs.org/348
Tested-by: Derrick Brashear <shadow@dementia.org>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Some formatting corrections
Section 3.26 updated to describe limitations caused by Apple
Bonjour on 32-bit Windows.
Section 3.40 updated to mentions Microsoft SMB Redirector
Extended Server Timeout support.
Section 3.41 updated to describe inability of pioctl operations
to succeed on service mapped drives.
Section 3.43 updated to include Windows 7 and Server 2008
in the known issues list.
New section 3.51 on Microsoft RPC Services
LICENSE MIT
Reviewed-on: http://gerrit.openafs.org/346
Tested-by: Jeffrey Altman <jaltman@openafs.org>
Reviewed-by: Jeffrey Altman <jaltman@openafs.org>