| 123456789101112131415161718192021222324252627282930313233343536373839 |
- From 2e94b6ec10f1d15e24867bab3063bb85f173406a Mon Sep 17 00:00:00 2001
- From: Jeremy Allison <jra@samba.org>
- Date: Thu, 9 Jul 2015 10:58:11 -0700
- Subject: [PATCH] CVE-2015-5252: s3: smbd: Fix symlink verification (file
- access outside the share).
- Ensure matching component ends in '/' or '\0'.
- BUG: https://bugzilla.samba.org/show_bug.cgi?id=11395
- Signed-off-by: Jeremy Allison <jra@samba.org>
- Reviewed-by: Volker Lendecke <vl@samba.org>
- ---
- source3/smbd/vfs.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
- --- a/source3/smbd/vfs.c
- +++ b/source3/smbd/vfs.c
- @@ -982,6 +982,7 @@ NTSTATUS check_reduced_name(connection_s
- if (!allow_widelinks || !allow_symlinks) {
- const char *conn_rootdir;
- size_t rootdir_len;
- + bool matched;
-
- conn_rootdir = SMB_VFS_CONNECTPATH(conn, fname);
- if (conn_rootdir == NULL) {
- @@ -992,8 +993,10 @@ NTSTATUS check_reduced_name(connection_s
- }
-
- rootdir_len = strlen(conn_rootdir);
- - if (strncmp(conn_rootdir, resolved_name,
- - rootdir_len) != 0) {
- + matched = (strncmp(conn_rootdir, resolved_name,
- + rootdir_len) == 0);
- + if (!matched || (resolved_name[rootdir_len] != '/' &&
- + resolved_name[rootdir_len] != '\0')) {
- DEBUG(2, ("check_reduced_name: Bad access "
- "attempt: %s is a symlink outside the "
- "share path\n", fname));
|
