Inicio Explorar Axuda
Iniciar sesión
iank
/
libreCMC
Fork de libreCMC/libreCMC
1
0
Fork 0
Ficheiros
Árbore: f529696ddd
Ramas Etiquetas
libreCMC
/
package
/
network
/
services
/
samba36
/
patches
/
015-patch-cve-2015-7560.patch

015-patch-cve-2015-7560.patch 4.5 KB
Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172 
  1. From eb27f9b7bf9c1dc902d9545eecf805831bd4e46c Mon Sep 17 00:00:00 2001
    2. 

  2. From: Jeremy Allison <jra@samba.org>
    3. 

  3. Date: Tue, 5 Jan 2016 11:18:12 -0800
    4. 

  4. Subject: [PATCH 1/8] CVE-2015-7560: s3: smbd: Add refuse_symlink() function
    5. 

  5.  that can be used to prevent operations on a symlink.
    6. 

  6. 

  7. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
    8. 

  8. 

  9. Signed-off-by: Jeremy Allison <jra@samba.org>
    10. 

  10. Reviewed-by: Michael Adam <obnox@samba.org>
    11. 

  11. ---
    12. 

  12.  source3/smbd/trans2.c | 28 ++++++++++++++++++++++++++++
    13. 

  13.  1 file changed, 28 insertions(+)
    14. 

  14. 

  15. --- a/source3/smbd/trans2.c
    16. 

  16. +++ b/source3/smbd/trans2.c
    17. 

  17. @@ -51,6 +51,34 @@ static char *store_file_unix_basic_info2
    18. 

  18.  				files_struct *fsp,
    19. 

  19.  				const SMB_STRUCT_STAT *psbuf);
    20. 

  20.  
    21. 

  21. +/****************************************************************************
    22. 

  22. + Check if an open file handle or pathname is a symlink.
    23. 

  23. +****************************************************************************/
    24. 

  24. +
    25. 

  25. +static NTSTATUS refuse_symlink(connection_struct *conn,
    26. 

  26. +			const files_struct *fsp,
    27. 

  27. +			const char *name)
    28. 

  28. +{
    29. 

  29. +	SMB_STRUCT_STAT sbuf;
    30. 

  30. +	const SMB_STRUCT_STAT *pst = NULL;
    31. 

  31. +
    32. 

  32. +	if (fsp) {
    33. 

  33. +		pst = &fsp->fsp_name->st;
    34. 

  34. +	} else {
    35. 

  35. +		int ret = vfs_stat_smb_fname(conn,
    36. 

  36. +				name,
    37. 

  37. +				&sbuf);
    38. 

  38. +		if (ret == -1) {
    39. 

  39. +			return map_nt_error_from_unix(errno);
    40. 

  40. +		}
    41. 

  41. +		pst = &sbuf;
    42. 

  42. +	}
    43. 

  43. +	if (S_ISLNK(pst->st_ex_mode)) {
    44. 

  44. +		return NT_STATUS_ACCESS_DENIED;
    45. 

  45. +	}
    46. 

  46. +	return NT_STATUS_OK;
    47. 

  47. +}
    48. 

  48. +
    49. 

  49.  /********************************************************************
    50. 

  50.   Roundup a value to the nearest allocation roundup size boundary.
    51. 

  51.   Only do this for Windows clients.
    52. 

  52. @@ -181,12 +209,22 @@ NTSTATUS get_ea_names_from_file(TALLOC_C
    53. 

  53.  	char **names, **tmp;
    54. 

  54.  	size_t num_names;
    55. 

  55.  	ssize_t sizeret = -1;
    56. 

  56. +	NTSTATUS status;
    57. 

  57. +
    58. 

  58. +	if (pnames) {
    59. 

  59. +		*pnames = NULL;
    60. 

  60. +	}
    61. 

  61. +	*pnum_names = 0;
    62. 

  62.  
    63. 

  63.  	if (!lp_ea_support(SNUM(conn))) {
    64. 

  64. -		if (pnames) {
    65. 

  65. -			*pnames = NULL;
    66. 

  66. -		}
    67. 

  67. -		*pnum_names = 0;
    68. 

  68. +		return NT_STATUS_OK;
    69. 

  69. +	}
    70. 

  70. +
    71. 

  71. +	status = refuse_symlink(conn, fsp, fname);
    72. 

  72. +	if (!NT_STATUS_IS_OK(status)) {
    73. 

  73. +		/*
    74. 

  74. +		 * Just return no EA's on a symlink.
    75. 

  75. +		 */
    76. 

  76.  		return NT_STATUS_OK;
    77. 

  77.  	}
    78. 

  78.  
    79. 

  79. @@ -236,10 +274,6 @@ NTSTATUS get_ea_names_from_file(TALLOC_C
    80. 

  80.  
    81. 

  81.  	if (sizeret == 0) {
    82. 

  82.  		TALLOC_FREE(names);
    83. 

  83. -		if (pnames) {
    84. 

  84. -			*pnames = NULL;
    85. 

  85. -		}
    86. 

  86. -		*pnum_names = 0;
    87. 

  87.  		return NT_STATUS_OK;
    88. 

  88.  	}
    89. 

  89.  
    90. 

  90. @@ -550,6 +584,7 @@ NTSTATUS set_ea(connection_struct *conn,
    91. 

  91.  		const struct smb_filename *smb_fname, struct ea_list *ea_list)
    92. 

  92.  {
    93. 

  93.  	char *fname = NULL;
    94. 

  94. +	NTSTATUS status;
    95. 

  95.  
    96. 

  96.  	if (!lp_ea_support(SNUM(conn))) {
    97. 

  97.  		return NT_STATUS_EAS_NOT_SUPPORTED;
    98. 

  98. @@ -559,6 +594,12 @@ NTSTATUS set_ea(connection_struct *conn,
    99. 

  99.  		return NT_STATUS_ACCESS_DENIED;
    100. 

  100.  	}
    101. 

  101.  
    102. 

  102. +	status = refuse_symlink(conn, fsp, smb_fname->base_name);
    103. 

  103. +	if (!NT_STATUS_IS_OK(status)) {
    104. 

  104. +		return status;
    105. 

  105. +	}
    106. 

  106. +
    107. 

  107. +
    108. 

  108.  	/* For now setting EAs on streams isn't supported. */
    109. 

  109.  	fname = smb_fname->base_name;
    110. 

  110.  
    111. 

  111. @@ -4931,6 +4972,13 @@ NTSTATUS smbd_do_qfilepathinfo(connectio
    112. 

  112.  				uint16 num_file_acls = 0;
    113. 

  113.  				uint16 num_def_acls = 0;
    114. 

  114.  
    115. 

  115. +				status = refuse_symlink(conn,
    116. 

  116. +						fsp,
    117. 

  117. +						smb_fname->base_name);
    118. 

  118. +				if (!NT_STATUS_IS_OK(status)) {
    119. 

  119. +					return status;
    120. 

  120. +				}
    121. 

  121. +
    122. 

  122.  				if (fsp && fsp->fh->fd != -1) {
    123. 

  123.  					file_acl = SMB_VFS_SYS_ACL_GET_FD(fsp);
    124. 

  124.  				} else {
    125. 

  125. @@ -6452,6 +6500,7 @@ static NTSTATUS smb_set_posix_acl(connec
    126. 

  126.  	uint16 num_def_acls;
    127. 

  127.  	bool valid_file_acls = True;
    128. 

  128.  	bool valid_def_acls = True;
    129. 

  129. +	NTSTATUS status;
    130. 

  130.  
    131. 

  131.  	if (total_data < SMB_POSIX_ACL_HEADER_SIZE) {
    132. 

  132.  		return NT_STATUS_INVALID_PARAMETER;
    133. 

  133. @@ -6479,6 +6528,11 @@ static NTSTATUS smb_set_posix_acl(connec
    134. 

  134.  		return NT_STATUS_INVALID_PARAMETER;
    135. 

  135.  	}
    136. 

  136.  
    137. 

  137. +	status = refuse_symlink(conn, fsp, smb_fname->base_name);
    138. 

  138. +	if (!NT_STATUS_IS_OK(status)) {
    139. 

  139. +		return status;
    140. 

  140. +	}
    141. 

  141. +
    142. 

  142.  	DEBUG(10,("smb_set_posix_acl: file %s num_file_acls = %u, num_def_acls = %u\n",
    143. 

  143.  		smb_fname ? smb_fname_str_dbg(smb_fname) : fsp_str_dbg(fsp),
    144. 

  144.  		(unsigned int)num_file_acls,
    145. 

  145. --- a/source3/smbd/nttrans.c
    146. 

  146. +++ b/source3/smbd/nttrans.c
    147. 

  147. @@ -877,6 +877,12 @@ NTSTATUS set_sd(files_struct *fsp, struc
    148. 

  148.  		return NT_STATUS_OK;
    149. 

  149.  	}
    150. 

  150.  
    151. 

  151. +	if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
    152. 

  152. +		DEBUG(10, ("ACL set on symlink %s denied.\n",
    153. 

  153. +			fsp_str_dbg(fsp)));
    154. 

  154. +		return NT_STATUS_ACCESS_DENIED;
    155. 

  155. +	}
    156. 

  156. +
    157. 

  157.  	if (psd->owner_sid == NULL) {
    158. 

  158.  		security_info_sent &= ~SECINFO_OWNER;
    159. 

  159.  	}
    160. 

  160. @@ -1925,6 +1931,12 @@ NTSTATUS smbd_do_query_security_desc(con
    161. 

  161.  		return NT_STATUS_ACCESS_DENIED;
    162. 

  162.  	}
    163. 

  163.  
    164. 

  164. +	if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
    165. 

  165. +		DEBUG(10, ("ACL get on symlink %s denied.\n",
    166. 

  166. +			fsp_str_dbg(fsp)));
    167. 

  167. +		return NT_STATUS_ACCESS_DENIED;
    168. 

  168. +	}
    169. 

  169. +
    170. 

  170.  	if (security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|
    171. 

  171.  			SECINFO_GROUP|SECINFO_SACL)) {
    172. 

  172.  		/* Don't return SECINFO_LABEL if anything else was
    173.