protocol: disable connection reuse for SMB(S)#21238
Closed
bagder wants to merge 2 commits into
Closed
Conversation
Connections should only be reused when using the same "share" (and perhaps some additional conditions), but instead of fixing this flaw, this change completely disables connection reuse for SMB. This protocol is about to get dropped soon anyway. Reported-by: Osama Hamad
There was a problem hiding this comment.
Pull request overview
Disables connection reuse for SMB/SMBS to avoid incorrect reuse across different SMB shares (given current reuse logic is flawed and SMB is planned for deprecation).
Changes:
- Remove
PROTOPT_CONN_REUSEfrom thesmbscheme definition. - Remove
PROTOPT_CONN_REUSEfrom thesmbsscheme definition (while retainingPROTOPT_SSL).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
use PROTOPT_NONE Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
icanhasmath
pushed a commit
to ActiveState/curl
that referenced
this pull request
May 29, 2026
Connections should only be reused when using the same "share" (and perhaps some additional conditions), but instead of fixing this flaw, this change completely disables connection reuse for SMB. Reported-by: Osama Hamad Closes curl#21238 (cherry picked from commit 74a1695) Backport to 8.17.0 to address CVE-2026-5773 (libcurl could reuse the wrong SMB(S) connection because the share name was not considered when matching connections for reuse). 8.17.0 predates the lib/protocol.c opt-in PROTOPT_CONN_REUSE model used upstream, so instead of clearing that flag the equivalent effect is achieved by setting conn->bits.no_reuse = TRUE in smb_setup_connection(); url.c's match loop rejects any pooled connection with that bit set.
outcast36
pushed a commit
to greearb/curl
that referenced
this pull request
Jun 3, 2026
Connections should only be reused when using the same "share" (and perhaps some additional conditions), but instead of fixing this flaw, this change completely disables connection reuse for SMB. This protocol is about to get dropped soon anyway. Reported-by: Osama Hamad Closes curl#21238
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Connections should only be reused when using the same "share" (and perhaps some additional conditions), but instead of fixing this flaw, this change completely disables connection reuse for SMB. This protocol is about to get dropped soon anyway.
Reported-by: Osama Hamad