src/patches/samba/CVE-2015-5252-v3-6-bso11395.patch

   1 From 2e94b6ec10f1d15e24867bab3063bb85f173406a Mon Sep 17 00:00:00 2001
   2 From: Jeremy Allison <jra@samba.org>
   3 Date: Thu, 9 Jul 2015 10:58:11 -0700
   4 Subject: [PATCH] CVE-2015-5252: s3: smbd: Fix symlink verification (file
   5  access outside the share).
   6
   7 Ensure matching component ends in '/' or '\0'.
   8
   9 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11395
  10
  11 Signed-off-by: Jeremy Allison <jra@samba.org>
  12 Reviewed-by: Volker Lendecke <vl@samba.org>
  13 ---
  14  source3/smbd/vfs.c | 7 +++++--
  15  1 file changed, 5 insertions(+), 2 deletions(-)
  16
  17 diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c
  18 index 6c56964..bd93b7f 100644
  19 --- a/source3/smbd/vfs.c
  20 +++ b/source3/smbd/vfs.c
  21 @@ -982,6 +982,7 @@ NTSTATUS check_reduced_name(connection_struct *conn, const char *fname)
  22         if (!allow_widelinks || !allow_symlinks) {
  23                 const char *conn_rootdir;
  24                 size_t rootdir_len;
  25 +               bool matched;
  26
  27                 conn_rootdir = SMB_VFS_CONNECTPATH(conn, fname);
  28                 if (conn_rootdir == NULL) {
  29 @@ -992,8 +993,10 @@ NTSTATUS check_reduced_name(connection_struct *conn, const char *fname)
  30                 }
  31
  32                 rootdir_len = strlen(conn_rootdir);
  33 -               if (strncmp(conn_rootdir, resolved_name,
  34 -                               rootdir_len) != 0) {
  35 +               matched = (strncmp(conn_rootdir, resolved_name,
  36 +                               rootdir_len) == 0);
  37 +               if (!matched || (resolved_name[rootdir_len] != '/' &&
  38 +                                resolved_name[rootdir_len] != '\0')) {
  39                         DEBUG(2, ("check_reduced_name: Bad access "
  40                                 "attempt: %s is a symlink outside the "
  41                                 "share path\n", fname));
  42 --
  43 2.5.0
  44