projects / ipfire-2.x.git / blame
| Commit | Line | Data |
|---|---|---|
| 1d13e637 AF |
1 | From 2e94b6ec10f1d15e24867bab3063bb85f173406a Mon Sep 17 00:00:00 2001 |
| 2 | From: Jeremy Allison <jra@samba.org> | |
| 3 | Date: Thu, 9 Jul 2015 10:58:11 -0700 | |
| 4 | Subject: [PATCH] CVE-2015-5252: s3: smbd: Fix symlink verification (file | |
| 5 | access outside the share). | |
| 6 | ||
| 7 | Ensure matching component ends in '/' or '\0'. | |
| 8 | ||
| 9 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11395 | |
| 10 | ||
| 11 | Signed-off-by: Jeremy Allison <jra@samba.org> | |
| 12 | Reviewed-by: Volker Lendecke <vl@samba.org> | |
| 13 | --- | |
| 14 | source3/smbd/vfs.c | 7 +++++-- | |
| 15 | 1 file changed, 5 insertions(+), 2 deletions(-) | |
| 16 | ||
| 17 | diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c | |
| 18 | index 6c56964..bd93b7f 100644 | |
| 19 | --- a/source3/smbd/vfs.c | |
| 20 | +++ b/source3/smbd/vfs.c | |
| 21 | @@ -982,6 +982,7 @@ NTSTATUS check_reduced_name(connection_struct *conn, const char *fname) | |
| 22 | if (!allow_widelinks || !allow_symlinks) { | |
| 23 | const char *conn_rootdir; | |
| 24 | size_t rootdir_len; | |
| 25 | + bool matched; | |
| 26 | ||
| 27 | conn_rootdir = SMB_VFS_CONNECTPATH(conn, fname); | |
| 28 | if (conn_rootdir == NULL) { | |
| 29 | @@ -992,8 +993,10 @@ NTSTATUS check_reduced_name(connection_struct *conn, const char *fname) | |
| 30 | } | |
| 31 | ||
| 32 | rootdir_len = strlen(conn_rootdir); | |
| 33 | - if (strncmp(conn_rootdir, resolved_name, | |
| 34 | - rootdir_len) != 0) { | |
| 35 | + matched = (strncmp(conn_rootdir, resolved_name, | |
| 36 | + rootdir_len) == 0); | |
| 37 | + if (!matched || (resolved_name[rootdir_len] != '/' && | |
| 38 | + resolved_name[rootdir_len] != '\0')) { | |
| 39 | DEBUG(2, ("check_reduced_name: Bad access " | |
| 40 | "attempt: %s is a symlink outside the " | |
| 41 | "share path\n", fname)); | |
| 42 | -- | |
| 43 | 2.5.0 | |
| 44 |