s3: smbd: Sanitize any "server" and "share" components of SMB1 DFS paths to remove...

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15419

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Jul 27 10:52:50 UTC 2023 on atb-devel-224

(cherry picked from commit 20df26b908182f0455f301a51aeb54b6044af580)

Autobuild-User(v4-18-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-18-test): Thu Aug 31 09:38:21 UTC 2023 on atb-devel-224

diff --git a/selftest/knownfail.d/dfs_badpath b/selftest/knownfail.d/dfs_badpath
deleted file mode 100644 (file)
index 9fd16e9..0000000
--- a/selftest/knownfail.d/dfs_badpath
+++ /dev/null
@@ -1 +0,0 @@
-^samba3.smbtorture_s3.smb1.SMB1-DFS-BADPATH.smbtorture\(fileserver_smb1\)

diff --git a/source3/smbd/smb2_reply.c b/source3/smbd/smb2_reply.c
index 5ff6f4db8c97bdbd05cd91572fa947c6bd894622..9476c69b73ca907267278d13856f9642fc665d33 100644 (file)
--- a/source3/smbd/smb2_reply.c
+++ b/source3/smbd/smb2_reply.c
@@ -335,6 +335,7 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
                char *share = NULL;
                char *remaining_path = NULL;
                char path_sep = 0;
+               char *p = NULL;
 
                if (posix_pathnames && (dst[0] == '/')) {
                        path_sep = dst[0];
@@ -385,6 +386,16 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
                if (share == NULL) {
                        goto local_path;
                }
+               /*
+                * Ensure the server name does not contain
+                * any possible path components by converting
+                * them to _'s.
+                */
+               for (p = server + 1; p < share; p++) {
+                       if (*p == '/' || *p == '\\') {
+                               *p = '_';
+                       }
+               }
                /*
                 * It's a well formed DFS path with
                 * at least server and share components.
@@ -399,6 +410,16 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
                 */
                remaining_path = strchr(share+1, path_sep);
                if (remaining_path == NULL) {
+                       /*
+                        * Ensure the share name does not contain
+                        * any possible path components by converting
+                        * them to _'s.
+                        */
+                       for (p = share + 1; *p; p++) {
+                               if (*p == '/' || *p == '\\') {
+                                       *p = '_';
+                               }
+                       }
                        /*
                         * If no remaining path this was
                         * a bare /server/share path. Just return.
@@ -406,6 +427,16 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
                        *err = NT_STATUS_OK;
                        return ret;
                }
+               /*
+                * Ensure the share name does not contain
+                * any possible path components by converting
+                * them to _'s.
+                */
+               for (p = share + 1; p < remaining_path; p++) {
+                       if (*p == '/' || *p == '\\') {
+                               *p = '_';
+                       }
+               }
                *remaining_path = '/';
                dst = remaining_path + 1;
                /* dst now points at any following components. */