]>
Commit | Line | Data |
---|---|---|
1d13e637 AF |
1 | From 2e94b6ec10f1d15e24867bab3063bb85f173406a Mon Sep 17 00:00:00 2001 |
2 | From: Jeremy Allison <jra@samba.org> | |
3 | Date: Thu, 9 Jul 2015 10:58:11 -0700 | |
4 | Subject: [PATCH] CVE-2015-5252: s3: smbd: Fix symlink verification (file | |
5 | access outside the share). | |
6 | ||
7 | Ensure matching component ends in '/' or '\0'. | |
8 | ||
9 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11395 | |
10 | ||
11 | Signed-off-by: Jeremy Allison <jra@samba.org> | |
12 | Reviewed-by: Volker Lendecke <vl@samba.org> | |
13 | --- | |
14 | source3/smbd/vfs.c | 7 +++++-- | |
15 | 1 file changed, 5 insertions(+), 2 deletions(-) | |
16 | ||
17 | diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c | |
18 | index 6c56964..bd93b7f 100644 | |
19 | --- a/source3/smbd/vfs.c | |
20 | +++ b/source3/smbd/vfs.c | |
21 | @@ -982,6 +982,7 @@ NTSTATUS check_reduced_name(connection_struct *conn, const char *fname) | |
22 | if (!allow_widelinks || !allow_symlinks) { | |
23 | const char *conn_rootdir; | |
24 | size_t rootdir_len; | |
25 | + bool matched; | |
26 | ||
27 | conn_rootdir = SMB_VFS_CONNECTPATH(conn, fname); | |
28 | if (conn_rootdir == NULL) { | |
29 | @@ -992,8 +993,10 @@ NTSTATUS check_reduced_name(connection_struct *conn, const char *fname) | |
30 | } | |
31 | ||
32 | rootdir_len = strlen(conn_rootdir); | |
33 | - if (strncmp(conn_rootdir, resolved_name, | |
34 | - rootdir_len) != 0) { | |
35 | + matched = (strncmp(conn_rootdir, resolved_name, | |
36 | + rootdir_len) == 0); | |
37 | + if (!matched || (resolved_name[rootdir_len] != '/' && | |
38 | + resolved_name[rootdir_len] != '\0')) { | |
39 | DEBUG(2, ("check_reduced_name: Bad access " | |
40 | "attempt: %s is a symlink outside the " | |
41 | "share path\n", fname)); | |
42 | -- | |
43 | 2.5.0 | |
44 |