010-patch-cve-2015-5252.patch 1.3 KB

123456789101112131415161718192021222324252627282930313233343536373839
  1. From 2e94b6ec10f1d15e24867bab3063bb85f173406a Mon Sep 17 00:00:00 2001
  2. From: Jeremy Allison <jra@samba.org>
  3. Date: Thu, 9 Jul 2015 10:58:11 -0700
  4. Subject: [PATCH] CVE-2015-5252: s3: smbd: Fix symlink verification (file
  5. access outside the share).
  6. Ensure matching component ends in '/' or '\0'.
  7. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11395
  8. Signed-off-by: Jeremy Allison <jra@samba.org>
  9. Reviewed-by: Volker Lendecke <vl@samba.org>
  10. ---
  11. source3/smbd/vfs.c | 7 +++++--
  12. 1 file changed, 5 insertions(+), 2 deletions(-)
  13. --- a/source3/smbd/vfs.c
  14. +++ b/source3/smbd/vfs.c
  15. @@ -982,6 +982,7 @@ NTSTATUS check_reduced_name(connection_s
  16. if (!allow_widelinks || !allow_symlinks) {
  17. const char *conn_rootdir;
  18. size_t rootdir_len;
  19. + bool matched;
  20. conn_rootdir = SMB_VFS_CONNECTPATH(conn, fname);
  21. if (conn_rootdir == NULL) {
  22. @@ -992,8 +993,10 @@ NTSTATUS check_reduced_name(connection_s
  23. }
  24. rootdir_len = strlen(conn_rootdir);
  25. - if (strncmp(conn_rootdir, resolved_name,
  26. - rootdir_len) != 0) {
  27. + matched = (strncmp(conn_rootdir, resolved_name,
  28. + rootdir_len) == 0);
  29. + if (!matched || (resolved_name[rootdir_len] != '/' &&
  30. + resolved_name[rootdir_len] != '\0')) {
  31. DEBUG(2, ("check_reduced_name: Bad access "
  32. "attempt: %s is a symlink outside the "
  33. "share path\n", fname));