+From a398754c9bb1639f762979765de6c540c714b5cb Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 20 Mar 2017 11:32:19 -0700
+Subject: [PATCH 01/15] CVE-2017-2619: s3/smbd: re-open directory after
+ dptr_CloseDir()
+
+dptr_CloseDir() will close and invalidate the fsp's file descriptor, we
+have to reopen it.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Ralph Bohme <slow@samba.org>
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/smbd/open.c | 2 +-
+ source3/smbd/proto.h | 2 ++
+ source3/smbd/smb2_find.c | 17 +++++++++++++++++
+ 3 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/source3/smbd/open.c b/source3/smbd/open.c
+index 441b8cd4362..35eee0a1485 100644
+--- a/source3/smbd/open.c
++++ b/source3/smbd/open.c
+@@ -197,7 +197,7 @@ static NTSTATUS check_base_file_access(struct connection_struct *conn,
+ fd support routines - attempt to do a dos_open.
+ ****************************************************************************/
+
+-static NTSTATUS fd_open(struct connection_struct *conn,
++NTSTATUS fd_open(struct connection_struct *conn,
+ files_struct *fsp,
+ int flags,
+ mode_t mode)
+diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
+index f5fad2bbb50..594edfa1e98 100644
+--- a/source3/smbd/proto.h
++++ b/source3/smbd/proto.h
+@@ -603,6 +603,8 @@ NTSTATUS smb1_file_se_access_check(connection_struct *conn,
+ const struct security_token *token,
+ uint32_t access_desired,
+ uint32_t *access_granted);
++NTSTATUS fd_open(struct connection_struct *conn, files_struct *fsp,
++ int flags, mode_t mode);
+ NTSTATUS fd_close(files_struct *fsp);
+ void change_file_owner_to_parent(connection_struct *conn,
+ const char *inherit_from_dir,
+diff --git a/source3/smbd/smb2_find.c b/source3/smbd/smb2_find.c
+index 6fe6545c128..9dd3176497b 100644
+--- a/source3/smbd/smb2_find.c
++++ b/source3/smbd/smb2_find.c
+@@ -24,6 +24,7 @@
+ #include "../libcli/smb/smb_common.h"
+ #include "trans2.h"
+ #include "../lib/util/tevent_ntstatus.h"
++#include "system/filesys.h"
+
+ static struct tevent_req *smbd_smb2_find_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+@@ -301,7 +302,23 @@ static struct tevent_req *smbd_smb2_find_send(TALLOC_CTX *mem_ctx,
+ }
+
+ if (in_flags & SMB2_CONTINUE_FLAG_REOPEN) {
++ int flags;
++
+ dptr_CloseDir(fsp);
++
++ /*
++ * dptr_CloseDir() will close and invalidate the fsp's file
++ * descriptor, we have to reopen it.
++ */
++
++ flags = O_RDONLY;
++#ifdef O_DIRECTORY
++ flags |= O_DIRECTORY;
++#endif
++ status = fd_open(conn, fsp, flags, 0);
++ if (tevent_req_nterror(req, status)) {
++ return tevent_req_post(req, ev);
++ }
+ }
+
+ wcard_has_wild = ms_has_wild(in_file_name);
+--
+2.13.5
+
+
+From a35fa98b99aa60132eb2c083d6393c28905e2045 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 28 Feb 2017 09:24:07 -0800
+Subject: [PATCH 02/15] s3: vfs: dirsort doesn't handle opendir of "."
+ correctly.
+
+Needs to store $cwd path for correct sorting.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12499
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/modules/vfs_dirsort.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/source3/modules/vfs_dirsort.c b/source3/modules/vfs_dirsort.c
+index 66582e67890..dbcf0b16ed3 100644
+--- a/source3/modules/vfs_dirsort.c
++++ b/source3/modules/vfs_dirsort.c
+@@ -153,6 +153,10 @@ static SMB_STRUCT_DIR *dirsort_opendir(vfs_handle_struct *handle,
+ return NULL;
+ }
+
++ if (ISDOT(data->smb_fname->base_name)) {
++ data->smb_fname->base_name = vfs_GetWd(data, handle->conn);
++ }
++
+ /* Open the underlying directory and count the number of entries */
+ data->source_directory = SMB_VFS_NEXT_OPENDIR(handle, fname, mask,
+ attr);
+--
+2.13.5
+
+
+From 23d2849d724a0f5bdf51dc7d7db438ed9fb4c2a9 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 13 Mar 2017 13:44:42 -0700
+Subject: [PATCH 03/15] s3: VFS: vfs_streams_xattr.c: Make streams_xattr_open()
+ store the same path as streams_xattr_recheck().
+
+If the open is changing directories, fsp->fsp_name->base_name
+will be the full path from the share root, whilst
+smb_fname will be relative to the $cwd.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12546
+
+Back-ported from a24ba3e4083200ec9885363efc5769f43183fb6b
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/modules/vfs_streams_xattr.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/source3/modules/vfs_streams_xattr.c b/source3/modules/vfs_streams_xattr.c
+index 731c813f4d7..be46f8dc1e6 100644
+--- a/source3/modules/vfs_streams_xattr.c
++++ b/source3/modules/vfs_streams_xattr.c
+@@ -511,8 +511,15 @@ static int streams_xattr_open(vfs_handle_struct *handle,
+
+ sio->xattr_name = talloc_strdup(VFS_MEMCTX_FSP_EXTENSION(handle, fsp),
+ xattr_name);
++ /*
++ * sio->base needs to be a copy of fsp->fsp_name->base_name,
++ * making it identical to streams_xattr_recheck(). If the
++ * open is changing directories, fsp->fsp_name->base_name
++ * will be the full path from the share root, whilst
++ * smb_fname will be relative to the $cwd.
++ */
+ sio->base = talloc_strdup(VFS_MEMCTX_FSP_EXTENSION(handle, fsp),
+- smb_fname->base_name);
++ fsp->fsp_name->base_name);
+ sio->fsp_name_ptr = fsp->fsp_name;
+ sio->handle = handle;
+ sio->fsp = fsp;
+--
+2.13.5
+
+
+From 91935aaf77c70e3e2436af1d6e4a538d29fd4276 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 13 Mar 2017 13:54:04 -0700
+Subject: [PATCH 04/15] vfs_streams_xattr: use fsp, not base_fsp
+
+The base_fsp's fd is always -1 as it's closed after being openend in
+create_file_unixpath().
+
+Additionally in streams_xattr_open force using of SMB_VFS_FSETXATTR() by
+sticking the just created fd into the fsp (and removing it afterwards).
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12591
+
+Back-ported from 021189e32ba507832b5e821e5cda8a2889225955.
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/modules/vfs_streams_xattr.c | 205 +++++++++++++++++-------------------
+ 1 file changed, 99 insertions(+), 106 deletions(-)
+
+diff --git a/source3/modules/vfs_streams_xattr.c b/source3/modules/vfs_streams_xattr.c
+index be46f8dc1e6..a4ab84bba71 100644
+--- a/source3/modules/vfs_streams_xattr.c
++++ b/source3/modules/vfs_streams_xattr.c
+@@ -229,7 +229,7 @@ static int streams_xattr_fstat(vfs_handle_struct *handle, files_struct *fsp,
+ return -1;
+ }
+
+- sbuf->st_ex_size = get_xattr_size(handle->conn, fsp->base_fsp,
++ sbuf->st_ex_size = get_xattr_size(handle->conn, fsp,
+ io->base, io->xattr_name);
+ if (sbuf->st_ex_size == -1) {
+ return -1;
+@@ -364,6 +364,7 @@ static int streams_xattr_open(vfs_handle_struct *handle,
+ char *xattr_name = NULL;
+ int baseflags;
+ int hostfd = -1;
++ int ret;
+
+ DEBUG(10, ("streams_xattr_open called for %s\n",
+ smb_fname_str_dbg(smb_fname)));
+@@ -375,133 +376,125 @@ static int streams_xattr_open(vfs_handle_struct *handle,
+ /* If the default stream is requested, just open the base file. */
+ if (is_ntfs_default_stream_smb_fname(smb_fname)) {
+ char *tmp_stream_name;
+- int ret;
+
+ tmp_stream_name = smb_fname->stream_name;
+ smb_fname->stream_name = NULL;
+
+ ret = SMB_VFS_NEXT_OPEN(handle, smb_fname, fsp, flags, mode);
+
+- smb_fname->stream_name = tmp_stream_name;
+-
+- return ret;
+- }
++ smb_fname->stream_name = tmp_stream_name;
+
+- status = streams_xattr_get_name(talloc_tos(), smb_fname->stream_name,
+- &xattr_name);
+- if (!NT_STATUS_IS_OK(status)) {
+- errno = map_errno_from_nt_status(status);
+- goto fail;
+- }
++ return ret;
++ }
+
+- /* Create an smb_filename with stream_name == NULL. */
+- status = create_synthetic_smb_fname(talloc_tos(),
+- smb_fname->base_name,
+- NULL, NULL,
+- &smb_fname_base);
+- if (!NT_STATUS_IS_OK(status)) {
+- errno = map_errno_from_nt_status(status);
+- goto fail;
+- }
++ status = streams_xattr_get_name(talloc_tos(), smb_fname->stream_name,
++ &xattr_name);
++ if (!NT_STATUS_IS_OK(status)) {
++ errno = map_errno_from_nt_status(status);
++ goto fail;
++ }
+
+- /*
+- * We use baseflags to turn off nasty side-effects when opening the
+- * underlying file.
+- */
+- baseflags = flags;
+- baseflags &= ~O_TRUNC;
+- baseflags &= ~O_EXCL;
+- baseflags &= ~O_CREAT;
++ /* Create an smb_filename with stream_name == NULL. */
++ status = create_synthetic_smb_fname(talloc_tos(),
++ smb_fname->base_name,
++ NULL, NULL,
++ &smb_fname_base);
++ if (!NT_STATUS_IS_OK(status)) {
++ errno = map_errno_from_nt_status(status);
++ goto fail;
++ }
+
+- hostfd = SMB_VFS_OPEN(handle->conn, smb_fname_base, fsp,
+- baseflags, mode);
++ /*
++ * We use baseflags to turn off nasty side-effects when opening the
++ * underlying file.
++ */
++ baseflags = flags;
++ baseflags &= ~O_TRUNC;
++ baseflags &= ~O_EXCL;
++ baseflags &= ~O_CREAT;
+
+- TALLOC_FREE(smb_fname_base);
++ hostfd = SMB_VFS_OPEN(handle->conn, smb_fname_base, fsp,
++ baseflags, mode);
+
+- /* It is legit to open a stream on a directory, but the base
+- * fd has to be read-only.
+- */
+- if ((hostfd == -1) && (errno == EISDIR)) {
+- baseflags &= ~O_ACCMODE;
+- baseflags |= O_RDONLY;
+- hostfd = SMB_VFS_OPEN(handle->conn, smb_fname, fsp, baseflags,
+- mode);
+- }
++ TALLOC_FREE(smb_fname_base);
+
+- if (hostfd == -1) {
+- goto fail;
+- }
++ /* It is legit to open a stream on a directory, but the base
++ * fd has to be read-only.
++ */
++ if ((hostfd == -1) && (errno == EISDIR)) {
++ baseflags &= ~O_ACCMODE;
++ baseflags |= O_RDONLY;
++ hostfd = SMB_VFS_OPEN(handle->conn, smb_fname, fsp, baseflags,
++ mode);
++ }
+
+- status = get_ea_value(talloc_tos(), handle->conn, NULL,
+- smb_fname->base_name, xattr_name, &ea);
++ if (hostfd == -1) {
++ goto fail;
++ }
+
+- DEBUG(10, ("get_ea_value returned %s\n", nt_errstr(status)));
++ status = get_ea_value(talloc_tos(), handle->conn, NULL,
++ smb_fname->base_name, xattr_name, &ea);
+
+- if (!NT_STATUS_IS_OK(status)
+- && !NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
+- /*
+- * The base file is not there. This is an error even if we got
+- * O_CREAT, the higher levels should have created the base
+- * file for us.
+- */
+- DEBUG(10, ("streams_xattr_open: base file %s not around, "
+- "returning ENOENT\n", smb_fname->base_name));
+- errno = ENOENT;
+- goto fail;
+- }
++ DEBUG(10, ("get_ea_value returned %s\n", nt_errstr(status)));
+
+- if (!NT_STATUS_IS_OK(status)) {
+- /*
+- * The attribute does not exist
+- */
++ if (!NT_STATUS_IS_OK(status)
++ && !NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
++ /*
++ * The base file is not there. This is an error even if we got
++ * O_CREAT, the higher levels should have created the base
++ * file for us.
++ */
++ DEBUG(10, ("streams_xattr_open: base file %s not around, "
++ "returning ENOENT\n", smb_fname->base_name));
++ errno = ENOENT;
++ goto fail;
++ }
+
+- if (flags & O_CREAT) {
++ if (!NT_STATUS_IS_OK(status)) {
+ /*
+- * Darn, xattrs need at least 1 byte
++ * The attribute does not exist
+ */
+- char null = '\0';
+
+- DEBUG(10, ("creating attribute %s on file %s\n",
+- xattr_name, smb_fname->base_name));
++ if (flags & O_CREAT) {
++ /*
++ * Darn, xattrs need at least 1 byte
++ */
++ char null = '\0';
++
++ DEBUG(10, ("creating attribute %s on file %s\n",
++ xattr_name, smb_fname->base_name));
++
++ fsp->fh->fd = hostfd;
++ ret = SMB_VFS_FSETXATTR(fsp, xattr_name,
++ &null, sizeof(null),
++ flags & O_EXCL ? XATTR_CREATE : 0);
++ fsp->fh->fd = -1;
++ if (ret != 0) {
++ goto fail;
++ }
++ }
++ }
+
++ if (flags & O_TRUNC) {
++ char null = '\0';
+ if (fsp->base_fsp->fh->fd != -1) {
+- if (SMB_VFS_FSETXATTR(
+- fsp->base_fsp, xattr_name,
+- &null, sizeof(null),
+- flags & O_EXCL ? XATTR_CREATE : 0) == -1) {
++ if (SMB_VFS_FSETXATTR(
++ fsp->base_fsp, xattr_name,
++ &null, sizeof(null),
++ flags & O_EXCL ? XATTR_CREATE : 0) == -1) {
+ goto fail;
+ }
+ } else {
+- if (SMB_VFS_SETXATTR(
+- handle->conn, smb_fname->base_name,
+- xattr_name, &null, sizeof(null),
+- flags & O_EXCL ? XATTR_CREATE : 0) == -1) {
++ if (SMB_VFS_SETXATTR(
++ handle->conn, smb_fname->base_name,
++ xattr_name, &null, sizeof(null),
++ flags & O_EXCL ? XATTR_CREATE : 0) == -1) {
+ goto fail;
+ }
+ }
+ }
+- }
+-
+- if (flags & O_TRUNC) {
+- char null = '\0';
+- if (fsp->base_fsp->fh->fd != -1) {
+- if (SMB_VFS_FSETXATTR(
+- fsp->base_fsp, xattr_name,
+- &null, sizeof(null),
+- flags & O_EXCL ? XATTR_CREATE : 0) == -1) {
+- goto fail;
+- }
+- } else {
+- if (SMB_VFS_SETXATTR(
+- handle->conn, smb_fname->base_name,
+- xattr_name, &null, sizeof(null),
+- flags & O_EXCL ? XATTR_CREATE : 0) == -1) {
+- goto fail;
+- }
+- }
+- }
+
+- sio = (struct stream_io *)VFS_ADD_FSP_EXTENSION(handle, fsp,
++ sio = (struct stream_io *)VFS_ADD_FSP_EXTENSION(handle, fsp,
+ struct stream_io,
+ NULL);
+ if (sio == NULL) {
+@@ -868,7 +861,7 @@ static ssize_t streams_xattr_pwrite(vfs_handle_struct *handle,
+ return -1;
+ }
+
+- status = get_ea_value(talloc_tos(), handle->conn, fsp->base_fsp,
++ status = get_ea_value(talloc_tos(), handle->conn, fsp,
+ sio->base, sio->xattr_name, &ea);
+ if (!NT_STATUS_IS_OK(status)) {
+ return -1;
+@@ -892,13 +885,13 @@ static ssize_t streams_xattr_pwrite(vfs_handle_struct *handle,
+
+ memcpy(ea.value.data + offset, data, n);
+
+- if (fsp->base_fsp->fh->fd != -1) {
+- ret = SMB_VFS_FSETXATTR(fsp->base_fsp,
++ if (fsp->fh->fd != -1) {
++ ret = SMB_VFS_FSETXATTR(fsp,
+ sio->xattr_name,
+ ea.value.data, ea.value.length, 0);
+ } else {
+ ret = SMB_VFS_SETXATTR(fsp->conn,
+- fsp->base_fsp->fsp_name->base_name,
++ fsp->fsp_name->base_name,
+ sio->xattr_name,
+ ea.value.data, ea.value.length, 0);
+ }
+@@ -932,7 +925,7 @@ static ssize_t streams_xattr_pread(vfs_handle_struct *handle,
+ return -1;
+ }
+
+- status = get_ea_value(talloc_tos(), handle->conn, fsp->base_fsp,
++ status = get_ea_value(talloc_tos(), handle->conn, fsp,
+ sio->base, sio->xattr_name, &ea);
+ if (!NT_STATUS_IS_OK(status)) {
+ return -1;
+@@ -977,7 +970,7 @@ static int streams_xattr_ftruncate(struct vfs_handle_struct *handle,
+ return -1;
+ }
+
+- status = get_ea_value(talloc_tos(), handle->conn, fsp->base_fsp,
++ status = get_ea_value(talloc_tos(), handle->conn, fsp,
+ sio->base, sio->xattr_name, &ea);
+ if (!NT_STATUS_IS_OK(status)) {
+ return -1;
+@@ -1002,13 +995,13 @@ static int streams_xattr_ftruncate(struct vfs_handle_struct *handle,
+ ea.value.length = offset + 1;
+ ea.value.data[offset] = 0;
+
+- if (fsp->base_fsp->fh->fd != -1) {
+- ret = SMB_VFS_FSETXATTR(fsp->base_fsp,
++ if (fsp->fh->fd != -1) {
++ ret = SMB_VFS_FSETXATTR(fsp,
+ sio->xattr_name,
+ ea.value.data, ea.value.length, 0);
+ } else {
+ ret = SMB_VFS_SETXATTR(fsp->conn,
+- fsp->base_fsp->fsp_name->base_name,
++ fsp->fsp_name->base_name,
+ sio->xattr_name,
+ ea.value.data, ea.value.length, 0);
+ }
+--
+2.13.5
+
+
+From 3f3c731faaa59f4d3ce7e49c12795c40e048d29f Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 19 Dec 2016 11:55:56 -0800
+Subject: [PATCH 05/15] s3: smbd: Create wrapper function for OpenDir in
+ preparation for making robust.
+
+CVE-2017-2619
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/smbd/dir.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
+index 18ecf066824..ebe2641f813 100644
+--- a/source3/smbd/dir.c
++++ b/source3/smbd/dir.c
+@@ -1367,7 +1367,8 @@ static int smb_Dir_destructor(struct smb_Dir *dirp)
+ Open a directory.
+ ********************************************************************/
+
+-struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
++static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
++ connection_struct *conn,
+ const char *name,
+ const char *mask,
+ uint32 attr)
+@@ -1407,6 +1408,18 @@ struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ return NULL;
+ }
+
++struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
++ const char *name,
++ const char *mask,
++ uint32_t attr)
++{
++ return OpenDir_internal(mem_ctx,
++ conn,
++ name,
++ mask,
++ attr);
++}
++
+ /*******************************************************************
+ Open a directory from an fsp.
+ ********************************************************************/
+--
+2.13.5
+
+
+From 7efeb067c1586e0f1cfbb775b1efcb3b92005140 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 19 Dec 2016 16:25:26 -0800
+Subject: [PATCH 06/15] s3: smbd: Opendir_internal() early return if
+ SMB_VFS_OPENDIR failed.
+
+CVE-2017-2619
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/smbd/dir.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
+index ebe2641f813..65327dd0dd1 100644
+--- a/source3/smbd/dir.c
++++ b/source3/smbd/dir.c
+@@ -1380,6 +1380,13 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
+ return NULL;
+ }
+
++ dirp->dir = SMB_VFS_OPENDIR(conn, name, mask, attr);
++ if (!dirp->dir) {
++ DEBUG(5,("OpenDir: Can't open %s. %s\n", name,
++ strerror(errno) ));
++ goto fail;
++ }
++
+ dirp->conn = conn;
+ dirp->name_cache_size = lp_directory_name_cache_size(SNUM(conn));
+
+@@ -1394,13 +1401,6 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
+ }
+ talloc_set_destructor(dirp, smb_Dir_destructor);
+
+- dirp->dir = SMB_VFS_OPENDIR(conn, dirp->dir_path, mask, attr);
+- if (!dirp->dir) {
+- DEBUG(5,("OpenDir: Can't open %s. %s\n", dirp->dir_path,
+- strerror(errno) ));
+- goto fail;
+- }
+-
+ return dirp;
+
+ fail:
+--
+2.13.5
+
+
+From 49d22a0c51ef1f78f0488a7c35131887704e987b Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 19 Dec 2016 16:35:00 -0800
+Subject: [PATCH 07/15] s3: smbd: Create and use open_dir_safely(). Use from
+ OpenDir().
+
+Hardens OpenDir against TOC/TOU races.
+
+CVE-2017-2619
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/smbd/dir.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 59 insertions(+), 7 deletions(-)
+
+diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
+index 65327dd0dd1..2d168c3ba9f 100644
+--- a/source3/smbd/dir.c
++++ b/source3/smbd/dir.c
+@@ -1390,12 +1390,6 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
+ dirp->conn = conn;
+ dirp->name_cache_size = lp_directory_name_cache_size(SNUM(conn));
+
+- dirp->dir_path = talloc_strdup(dirp, name);
+- if (!dirp->dir_path) {
+- errno = ENOMEM;
+- goto fail;
+- }
+-
+ if (sconn && !sconn->using_smb2) {
+ sconn->searches.dirhandles_open++;
+ }
+@@ -1408,12 +1402,70 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
+ return NULL;
+ }
+
++/****************************************************************************
++ Open a directory handle by pathname, ensuring it's under the share path.
++****************************************************************************/
++
++static struct smb_Dir *open_dir_safely(TALLOC_CTX *ctx,
++ connection_struct *conn,
++ const char *name,
++ const char *wcard,
++ uint32_t attr)
++{
++ struct smb_Dir *dir_hnd = NULL;
++ char *saved_dir = vfs_GetWd(ctx, conn);
++ NTSTATUS status;
++
++ if (saved_dir == NULL) {
++ return NULL;
++ }
++
++ if (vfs_ChDir(conn, name) == -1) {
++ goto out;
++ }
++
++ /*
++ * Now the directory is pinned, use
++ * REALPATH to ensure we can access it.
++ */
++ status = check_name(conn, ".");
++ if (!NT_STATUS_IS_OK(status)) {
++ goto out;
++ }
++
++ dir_hnd = OpenDir_internal(ctx,
++ conn,
++ ".",
++ wcard,
++ attr);
++
++ if (dir_hnd == NULL) {
++ goto out;
++ }
++
++ /*
++ * OpenDir_internal only gets "." as the dir name.
++ * Store the real dir name here.
++ */
++
++ dir_hnd->dir_path = talloc_strdup(dir_hnd, name);
++ if (!dir_hnd->dir_path) {
++ errno = ENOMEM;
++ }
++
++ out:
++
++ vfs_ChDir(conn, saved_dir);
++ TALLOC_FREE(saved_dir);
++ return dir_hnd;
++}
++
+ struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ const char *name,
+ const char *mask,
+ uint32_t attr)
+ {
+- return OpenDir_internal(mem_ctx,
++ return open_dir_safely(mem_ctx,
+ conn,
+ name,
+ mask,
+--
+2.13.5
+
+
+From 6426ae1f9ef53158a6fbe1912dfec40d834115fe Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 19 Dec 2016 12:13:20 -0800
+Subject: [PATCH 08/15] s3: smbd: OpenDir_fsp() use early returns.
+
+CVE-2017-2619
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/smbd/dir.c | 34 +++++++++++++++++++++-------------
+ 1 file changed, 21 insertions(+), 13 deletions(-)
+
+diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
+index 2d168c3ba9f..6aed4a6da46 100644
+--- a/source3/smbd/dir.c
++++ b/source3/smbd/dir.c
+@@ -1485,7 +1485,17 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ struct smbd_server_connection *sconn = conn->sconn;
+
+ if (!dirp) {
+- return NULL;
++ goto fail;
++ }
++
++ if (!fsp->is_directory) {
++ errno = EBADF;
++ goto fail;
++ }
++
++ if (fsp->fh->fd == -1) {
++ errno = EBADF;
++ goto fail;
+ }
+
+ dirp->conn = conn;
+@@ -1502,18 +1512,16 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ }
+ talloc_set_destructor(dirp, smb_Dir_destructor);
+
+- if (fsp->is_directory && fsp->fh->fd != -1) {
+- dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
+- if (dirp->dir != NULL) {
+- dirp->fsp = fsp;
+- } else {
+- DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned "
+- "NULL (%s)\n",
+- dirp->dir_path,
+- strerror(errno)));
+- if (errno != ENOSYS) {
+- return NULL;
+- }
++ dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
++ if (dirp->dir != NULL) {
++ dirp->fsp = fsp;
++ } else {
++ DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned "
++ "NULL (%s)\n",
++ dirp->dir_path,
++ strerror(errno)));
++ if (errno != ENOSYS) {
++ return NULL;
+ }
+ }
+
+--
+2.13.5
+
+
+From f6581858ce665b880c5fea465ec61b1b0c504d89 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 19 Dec 2016 12:15:59 -0800
+Subject: [PATCH 09/15] s3: smbd: OpenDir_fsp() - Fix memory leak on error.
+
+CVE-2017-2619
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/smbd/dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
+index 6aed4a6da46..efd1a73aab6 100644
+--- a/source3/smbd/dir.c
++++ b/source3/smbd/dir.c
+@@ -1521,7 +1521,7 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ dirp->dir_path,
+ strerror(errno)));
+ if (errno != ENOSYS) {
+- return NULL;
++ goto fail;
+ }
+ }
+
+--
+2.13.5
+
+
+From bacba6987e58d44886d04b1dd5e36f7781dcd9b0 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 19 Dec 2016 12:32:07 -0800
+Subject: [PATCH 10/15] s3: smbd: Move the reference counting and destructor
+ setup to just before retuning success.
+
+CVE-2017-2619
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/smbd/dir.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
+index efd1a73aab6..5eca128c033 100644
+--- a/source3/smbd/dir.c
++++ b/source3/smbd/dir.c
+@@ -1507,11 +1507,6 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ goto fail;
+ }
+
+- if (sconn && !sconn->using_smb2) {
+- sconn->searches.dirhandles_open++;
+- }
+- talloc_set_destructor(dirp, smb_Dir_destructor);
+-
+ dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
+ if (dirp->dir != NULL) {
+ dirp->fsp = fsp;
+@@ -1536,6 +1531,11 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ goto fail;
+ }
+
++ if (sconn && !sconn->using_smb2) {
++ sconn->searches.dirhandles_open++;
++ }
++ talloc_set_destructor(dirp, smb_Dir_destructor);
++
+ return dirp;
+
+ fail:
+--
+2.13.5
+
+
+From 34b3d05b55f5c40de76ba65d6b028818518a519f Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 19 Dec 2016 12:35:32 -0800
+Subject: [PATCH 11/15] s3: smbd: Correctly fallback to open_dir_safely if
+ FDOPENDIR not supported on system.
+
+CVE-2017-2619
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/smbd/dir.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
+index 5eca128c033..7690cb18c1a 100644
+--- a/source3/smbd/dir.c
++++ b/source3/smbd/dir.c
+@@ -1521,14 +1521,13 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ }
+
+ if (dirp->dir == NULL) {
+- /* FDOPENDIR didn't work. Use OPENDIR instead. */
+- dirp->dir = SMB_VFS_OPENDIR(conn, dirp->dir_path, mask, attr);
+- }
+-
+- if (!dirp->dir) {
+- DEBUG(5,("OpenDir_fsp: Can't open %s. %s\n", dirp->dir_path,
+- strerror(errno) ));
+- goto fail;
++ /* FDOPENDIR is not supported. Use OPENDIR instead. */
++ TALLOC_FREE(dirp);
++ return open_dir_safely(mem_ctx,
++ conn,
++ fsp->fsp_name->base_name,
++ mask,
++ attr);
+ }
+
+ if (sconn && !sconn->using_smb2) {
+--
+2.13.5
+
+
+From 84bc8b232a4495bff270b7800833ef6785937576 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Thu, 15 Dec 2016 12:52:13 -0800
+Subject: [PATCH 12/15] s3: smbd: Remove O_NOFOLLOW guards. We insist on
+ O_NOFOLLOW existing.
+
+CVE-2017-2619
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/smbd/open.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/source3/smbd/open.c b/source3/smbd/open.c
+index 35eee0a1485..8417f8aca4a 100644
+--- a/source3/smbd/open.c
++++ b/source3/smbd/open.c
+@@ -205,8 +205,7 @@ NTSTATUS fd_open(struct connection_struct *conn,
+ struct smb_filename *smb_fname = fsp->fsp_name;
+ NTSTATUS status = NT_STATUS_OK;
+
+-#ifdef O_NOFOLLOW
+- /*
++ /*
+ * Never follow symlinks on a POSIX client. The
+ * client should be doing this.
+ */
+@@ -214,7 +213,6 @@ NTSTATUS fd_open(struct connection_struct *conn,
+ if (fsp->posix_open || !lp_symlinks(SNUM(conn))) {
+ flags |= O_NOFOLLOW;
+ }
+-#endif
+
+ fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
+ if (fsp->fh->fd == -1) {
+--
+2.13.5
+
+
+From af0c5a266ae65ad2a638fe48a7ad7d77417f97d7 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Thu, 15 Dec 2016 12:56:08 -0800
+Subject: [PATCH 13/15] s3: smbd: Move special handling of symlink errno's into
+ a utility function.
+
+CVE-2017-2619
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/smbd/open.c | 30 ++++++++++++++++++++++++++++--
+ 1 file changed, 28 insertions(+), 2 deletions(-)
+
+diff --git a/source3/smbd/open.c b/source3/smbd/open.c
+index 8417f8aca4a..e727e89e9d8 100644
+--- a/source3/smbd/open.c
++++ b/source3/smbd/open.c
+@@ -194,6 +194,31 @@ static NTSTATUS check_base_file_access(struct connection_struct *conn,
+ }
+
+ /****************************************************************************
++ Handle differing symlink errno's
++****************************************************************************/
++
++static int link_errno_convert(int err)
++{
++#if defined(ENOTSUP) && defined(OSF1)
++ /* handle special Tru64 errno */
++ if (err == ENOTSUP) {
++ err = ELOOP;
++ }
++#endif /* ENOTSUP */
++#ifdef EFTYPE
++ /* fix broken NetBSD errno */
++ if (err == EFTYPE) {
++ err = ELOOP;
++ }
++#endif /* EFTYPE */
++ /* fix broken FreeBSD errno */
++ if (err == EMLINK) {
++ err = ELOOP;
++ }
++ return err;
++}
++
++/****************************************************************************
+ fd support routines - attempt to do a dos_open.
+ ****************************************************************************/
+
+@@ -216,8 +241,9 @@ NTSTATUS fd_open(struct connection_struct *conn,
+
+ fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
+ if (fsp->fh->fd == -1) {
+- status = map_nt_error_from_unix(errno);
+- if (errno == EMFILE) {
++ int posix_errno = link_errno_convert(errno);
++ status = map_nt_error_from_unix(posix_errno);
++ if (posix_errno == EMFILE) {
+ static time_t last_warned = 0L;
+
+ if (time((time_t *) NULL) > last_warned) {
+--
+2.13.5
+
+
+From c3bc4ff0367d7a3ebfd64db6defddea0bc3a5f4a Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Thu, 15 Dec 2016 13:04:46 -0800
+Subject: [PATCH 14/15] s3: smbd: Add the core functions to prevent symlink
+ open races.
+
+CVE-2017-2619
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/smbd/open.c | 242 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 242 insertions(+)
+
+diff --git a/source3/smbd/open.c b/source3/smbd/open.c
+index e727e89e9d8..0998adc416a 100644
+--- a/source3/smbd/open.c
++++ b/source3/smbd/open.c
+@@ -218,6 +218,248 @@ static int link_errno_convert(int err)
+ return err;
+ }
+
++static int non_widelink_open(struct connection_struct *conn,
++ const char *conn_rootdir,
++ files_struct *fsp,
++ struct smb_filename *smb_fname,
++ int flags,
++ mode_t mode,
++ unsigned int link_depth);
++
++/****************************************************************************
++ Follow a symlink in userspace.
++****************************************************************************/
++
++static int process_symlink_open(struct connection_struct *conn,
++ const char *conn_rootdir,
++ files_struct *fsp,
++ struct smb_filename *smb_fname,
++ int flags,
++ mode_t mode,
++ unsigned int link_depth)
++{
++ int fd = -1;
++ char *link_target = NULL;
++ int link_len = -1;
++ char *oldwd = NULL;
++ size_t rootdir_len = 0;
++ char *resolved_name = NULL;
++ bool matched = false;
++ int saved_errno = 0;
++
++ /*
++ * Ensure we don't get stuck in a symlink loop.
++ */
++ link_depth++;
++ if (link_depth >= 20) {
++ errno = ELOOP;
++ goto out;
++ }
++
++ /* Allocate space for the link target. */
++ link_target = talloc_array(talloc_tos(), char, PATH_MAX);
++ if (link_target == NULL) {
++ errno = ENOMEM;
++ goto out;
++ }
++
++ /* Read the link target. */
++ link_len = SMB_VFS_READLINK(conn,
++ smb_fname->base_name,
++ link_target,
++ PATH_MAX - 1);
++ if (link_len == -1) {
++ goto out;
++ }
++
++ /* Ensure it's at least null terminated. */
++ link_target[link_len] = '\0';
++
++ /* Convert to an absolute path. */
++ resolved_name = SMB_VFS_REALPATH(conn, link_target);
++ if (resolved_name == NULL) {
++ goto out;
++ }
++
++ /*
++ * We know conn_rootdir starts with '/' and
++ * does not end in '/'. FIXME ! Should we
++ * smb_assert this ?
++ */
++ rootdir_len = strlen(conn_rootdir);
++
++ matched = (strncmp(conn_rootdir, resolved_name, rootdir_len) == 0);
++ if (!matched) {
++ errno = EACCES;
++ goto out;
++ }
++
++ /*
++ * Turn into a path relative to the share root.
++ */
++ if (resolved_name[rootdir_len] == '\0') {
++ /* Link to the root of the share. */
++ smb_fname->base_name = talloc_strdup(talloc_tos(), ".");
++ if (smb_fname->base_name == NULL) {
++ errno = ENOMEM;
++ goto out;
++ }
++ } else if (resolved_name[rootdir_len] == '/') {
++ smb_fname->base_name = &resolved_name[rootdir_len+1];
++ } else {
++ errno = EACCES;
++ goto out;
++ }
++
++ oldwd = vfs_GetWd(talloc_tos(), conn);
++ if (oldwd == NULL) {
++ goto out;
++ }
++
++ /* Ensure we operate from the root of the share. */
++ if (vfs_ChDir(conn, conn_rootdir) == -1) {
++ goto out;
++ }
++
++ /* And do it all again.. */
++ fd = non_widelink_open(conn,
++ conn_rootdir,
++ fsp,
++ smb_fname,
++ flags,
++ mode,
++ link_depth);
++ if (fd == -1) {
++ saved_errno = errno;
++ }
++
++ out:
++
++ SAFE_FREE(resolved_name);
++ TALLOC_FREE(link_target);
++ if (oldwd != NULL) {
++ int ret = vfs_ChDir(conn, oldwd);
++ if (ret == -1) {
++ smb_panic("unable to get back to old directory\n");
++ }
++ TALLOC_FREE(oldwd);
++ }
++ if (saved_errno != 0) {
++ errno = saved_errno;
++ }
++ return fd;
++}
++
++/****************************************************************************
++ Non-widelink open.
++****************************************************************************/
++
++static int non_widelink_open(struct connection_struct *conn,
++ const char *conn_rootdir,
++ files_struct *fsp,
++ struct smb_filename *smb_fname,
++ int flags,
++ mode_t mode,
++ unsigned int link_depth)
++{
++ NTSTATUS status;
++ int fd = -1;
++ struct smb_filename *smb_fname_rel = NULL;
++ int saved_errno = 0;
++ char *oldwd = NULL;
++ char *parent_dir = NULL;
++ const char *final_component = NULL;
++
++ if (!parent_dirname(talloc_tos(),
++ smb_fname->base_name,
++ &parent_dir,
++ &final_component)) {
++ goto out;
++ }
++
++ oldwd = vfs_GetWd(talloc_tos(), conn);
++ if (oldwd == NULL) {
++ goto out;
++ }
++
++ /* Pin parent directory in place. */
++ if (vfs_ChDir(conn, parent_dir) == -1) {
++ goto out;
++ }
++
++ /* Ensure the relative path is below the share. */
++ status = check_reduced_name(conn, final_component);
++ if (!NT_STATUS_IS_OK(status)) {
++ saved_errno = map_errno_from_nt_status(status);
++ goto out;
++ }
++
++ status = create_synthetic_smb_fname(talloc_tos(),
++ final_component,
++ smb_fname->stream_name,
++ &smb_fname->st,
++ &smb_fname_rel);
++ if (!NT_STATUS_IS_OK(status)) {
++ saved_errno = map_errno_from_nt_status(status);
++ goto out;
++ }
++
++ flags |= O_NOFOLLOW;
++
++ {
++ struct smb_filename *tmp_name = fsp->fsp_name;
++ fsp->fsp_name = smb_fname_rel;
++ fd = SMB_VFS_OPEN(conn, smb_fname_rel, fsp, flags, mode);
++ fsp->fsp_name = tmp_name;
++ }
++
++ if (fd == -1) {
++ saved_errno = link_errno_convert(errno);
++ if (saved_errno == ELOOP) {
++ if (fsp->posix_open) {
++ /* Never follow symlinks on posix open. */
++ goto out;
++ }
++ if (!lp_symlinks(SNUM(conn))) {
++ /* Explicitly no symlinks. */
++ goto out;
++ }
++ /*
++ * We have a symlink. Follow in userspace
++ * to ensure it's under the share definition.
++ */
++ fd = process_symlink_open(conn,
++ conn_rootdir,
++ fsp,
++ smb_fname_rel,
++ flags,
++ mode,
++ link_depth);
++ if (fd == -1) {
++ saved_errno =
++ link_errno_convert(errno);
++ }
++ }
++ }
++
++ out:
++
++ TALLOC_FREE(parent_dir);
++ TALLOC_FREE(smb_fname_rel);
++
++ if (oldwd != NULL) {
++ int ret = vfs_ChDir(conn, oldwd);
++ if (ret == -1) {
++ smb_panic("unable to get back to old directory\n");
++ }
++ TALLOC_FREE(oldwd);
++ }
++ if (saved_errno != 0) {
++ errno = saved_errno;
++ }
++ return fd;
++}
++
+ /****************************************************************************
+ fd support routines - attempt to do a dos_open.
+ ****************************************************************************/
+--
+2.13.5
+
+
+From 6a88d1cf3deb54a784f50c8eba3b9a24a65c1b34 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Thu, 15 Dec 2016 13:06:31 -0800
+Subject: [PATCH 15/15] s3: smbd: Use the new non_widelink_open() function.
+
+CVE-2017-2619
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/smbd/open.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/source3/smbd/open.c b/source3/smbd/open.c
+index 0998adc416a..65ca14ec8b8 100644
+--- a/source3/smbd/open.c
++++ b/source3/smbd/open.c
+@@ -481,7 +481,28 @@ NTSTATUS fd_open(struct connection_struct *conn,
+ flags |= O_NOFOLLOW;
+ }
+
+- fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
++ /* Ensure path is below share definition. */
++ if (!lp_widelinks(SNUM(conn))) {
++ const char *conn_rootdir = SMB_VFS_CONNECTPATH(conn,
++ smb_fname->base_name);
++ if (conn_rootdir == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++ /*
++ * Only follow symlinks within a share
++ * definition.
++ */
++ fsp->fh->fd = non_widelink_open(conn,
++ conn_rootdir,
++ fsp,
++ smb_fname,
++ flags,
++ mode,
++ 0);
++ } else {
++ fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
++ }
++
+ if (fsp->fh->fd == -1) {
+ int posix_errno = link_errno_convert(errno);
+ status = map_nt_error_from_unix(posix_errno);
+--
+2.13.5
+
projects / ipfire-2.x.git / commitdiff
