[people/pmueller/ipfire-2.x.git] / src / patches / samba / CVE-2015-7560-v3-6.patch

From eb27f9b7bf9c1dc902d9545eecf805831bd4e46c Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 5 Jan 2016 11:18:12 -0800
Subject: [PATCH 1/8] CVE-2015-7560: s3: smbd: Add refuse_symlink() function
 that can be used to prevent operations on a symlink.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
---
 source3/smbd/trans2.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 26b6523..7f47579 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -51,6 +51,34 @@ static char *store_file_unix_basic_info2(connection_struct *conn,
 				files_struct *fsp,
 				const SMB_STRUCT_STAT *psbuf);
 
+/****************************************************************************
+ Check if an open file handle or pathname is a symlink.
+****************************************************************************/
+
+static NTSTATUS refuse_symlink(connection_struct *conn,
+			const files_struct *fsp,
+			const char *name)
+{
+	SMB_STRUCT_STAT sbuf;
+	const SMB_STRUCT_STAT *pst = NULL;
+
+	if (fsp) {
+		pst = &fsp->fsp_name->st;
+	} else {
+		int ret = vfs_stat_smb_fname(conn,
+				name,
+				&sbuf);
+		if (ret == -1) {
+			return map_nt_error_from_unix(errno);
+		}
+		pst = &sbuf;
+	}
+	if (S_ISLNK(pst->st_ex_mode)) {
+		return NT_STATUS_ACCESS_DENIED;
+	}
+	return NT_STATUS_OK;
+}
+
 /********************************************************************
  Roundup a value to the nearest allocation roundup size boundary.
  Only do this for Windows clients.
-- 
2.5.0


From f5b1bcc51e18bc85f376701bb4ae6894d97addfd Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 5 Jan 2016 10:38:28 -0800
Subject: [PATCH 2/8] CVE-2015-7560: s3: smbd: Refuse to get an ACL from a
 POSIX file handle on a symlink.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
---
 source3/smbd/nttrans.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 4c145e0..7255600 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -1925,6 +1925,12 @@ NTSTATUS smbd_do_query_security_desc(connection_struct *conn,
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
+	if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
+		DEBUG(10, ("ACL get on symlink %s denied.\n",
+			fsp_str_dbg(fsp)));
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
 	if (security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|
 			SECINFO_GROUP|SECINFO_SACL)) {
 		/* Don't return SECINFO_LABEL if anything else was
-- 
2.5.0


From 8bdbe1c90c98efbd08fc70d773d236c4ba00b1ae Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 5 Jan 2016 10:52:50 -0800
Subject: [PATCH 3/8] CVE-2015-7560: s3: smbd: Refuse to set an ACL from a
 POSIX file handle on a symlink.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
---
 source3/smbd/nttrans.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 7255600..d2102ca 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -877,6 +877,12 @@ NTSTATUS set_sd(files_struct *fsp, struct security_descriptor *psd,
 		return NT_STATUS_OK;
 	}
 
+	if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
+		DEBUG(10, ("ACL set on symlink %s denied.\n",
+			fsp_str_dbg(fsp)));
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
 	if (psd->owner_sid == NULL) {
 		security_info_sent &= ~SECINFO_OWNER;
 	}
-- 
2.5.0


From 612b032e2dedd3e07bbe79718ecbb3b68ffbb7a5 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 5 Jan 2016 11:22:12 -0800
Subject: [PATCH 4/8] CVE-2015-7560: s3: smbd: Refuse to set a POSIX ACL on a
 symlink.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
---
 source3/smbd/trans2.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 7f47579..2f01e87 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -6480,6 +6480,7 @@ static NTSTATUS smb_set_posix_acl(connection_struct *conn,
 	uint16 num_def_acls;
 	bool valid_file_acls = True;
 	bool valid_def_acls = True;
+	NTSTATUS status;
 
 	if (total_data < SMB_POSIX_ACL_HEADER_SIZE) {
 		return NT_STATUS_INVALID_PARAMETER;
@@ -6507,6 +6508,11 @@ static NTSTATUS smb_set_posix_acl(connection_struct *conn,
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
+	status = refuse_symlink(conn, fsp, smb_fname->base_name);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
 	DEBUG(10,("smb_set_posix_acl: file %s num_file_acls = %u, num_def_acls = %u\n",
 		smb_fname ? smb_fname_str_dbg(smb_fname) : fsp_str_dbg(fsp),
 		(unsigned int)num_file_acls,
-- 
2.5.0


From 28e6120d14e5a942df386db0444abaa93a764207 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 5 Jan 2016 11:24:36 -0800
Subject: [PATCH 5/8] CVE-2015-7560: s3: smbd: Refuse to get a POSIX ACL on a
 symlink.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
---
 source3/smbd/trans2.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 2f01e87..3a098d1 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -4959,6 +4959,13 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn,
 				uint16 num_file_acls = 0;
 				uint16 num_def_acls = 0;
 
+				status = refuse_symlink(conn,
+						fsp,
+						smb_fname->base_name);
+				if (!NT_STATUS_IS_OK(status)) {
+					return status;
+				}
+
 				if (fsp && fsp->fh->fd != -1) {
 					file_acl = SMB_VFS_SYS_ACL_GET_FD(fsp);
 				} else {
-- 
2.5.0


From 659bdb80aa65c02cf4f44377cc3bcffb2a817ee0 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 5 Jan 2016 11:05:48 -0800
Subject: [PATCH 6/8] CVE-2015-7560: s3: smbd: Set return values early, allows
 removal of code duplication.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
---
 source3/smbd/trans2.c | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 3a098d1..6fdd1da 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -210,11 +210,12 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn,
 	size_t num_names;
 	ssize_t sizeret = -1;
 
+	if (pnames) {
+		*pnames = NULL;
+	}
+	*pnum_names = 0;
+
 	if (!lp_ea_support(SNUM(conn))) {
-		if (pnames) {
-			*pnames = NULL;
-		}
-		*pnum_names = 0;
 		return NT_STATUS_OK;
 	}
 
@@ -264,10 +265,6 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn,
 
 	if (sizeret == 0) {
 		TALLOC_FREE(names);
-		if (pnames) {
-			*pnames = NULL;
-		}
-		*pnum_names = 0;
 		return NT_STATUS_OK;
 	}
 
-- 
2.5.0


From 4ba5e7cf01b8074b0313ecb7e218355d771df1cc Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 5 Jan 2016 11:29:38 -0800
Subject: [PATCH 7/8] CVE-2015-7560: s3: smbd: Silently return no EA's
 available on a symlink.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
---
 source3/smbd/trans2.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 6fdd1da..8b6e4b2 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -209,6 +209,7 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn,
 	char **names, **tmp;
 	size_t num_names;
 	ssize_t sizeret = -1;
+	NTSTATUS status;
 
 	if (pnames) {
 		*pnames = NULL;
@@ -219,6 +220,14 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn,
 		return NT_STATUS_OK;
 	}
 
+	status = refuse_symlink(conn, fsp, fname);
+	if (!NT_STATUS_IS_OK(status)) {
+		/*
+		 * Just return no EA's on a symlink.
+		 */
+		return NT_STATUS_OK;
+	}
+
 	/*
 	 * TALLOC the result early to get the talloc hierarchy right.
 	 */
-- 
2.5.0


From 9d8c7274ab87a0c07367e872ca1db7fd72886fde Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 5 Jan 2016 11:33:48 -0800
Subject: [PATCH 8/8] CVE-2015-7560: s3: smbd: Refuse to set EA's on a symlink.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
---
 source3/smbd/trans2.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 8b6e4b2..98fd2af 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -584,6 +584,7 @@ NTSTATUS set_ea(connection_struct *conn, files_struct *fsp,
 		const struct smb_filename *smb_fname, struct ea_list *ea_list)
 {
 	char *fname = NULL;
+	NTSTATUS status;
 
 	if (!lp_ea_support(SNUM(conn))) {
 		return NT_STATUS_EAS_NOT_SUPPORTED;
@@ -593,6 +594,12 @@ NTSTATUS set_ea(connection_struct *conn, files_struct *fsp,
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
+	status = refuse_symlink(conn, fsp, smb_fname->base_name);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+
 	/* For now setting EAs on streams isn't supported. */
 	fname = smb_fname->base_name;
 
-- 
2.5.0
Commit	Line	Data
77ecb239 AF	1	From eb27f9b7bf9c1dc902d9545eecf805831bd4e46c Mon Sep 17 00:00:00 2001
	2	From: Jeremy Allison <jra@samba.org>
	3	Date: Tue, 5 Jan 2016 11:18:12 -0800
	4	Subject: [PATCH 1/8] CVE-2015-7560: s3: smbd: Add refuse_symlink() function
	5	that can be used to prevent operations on a symlink.
	6
	7	BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
	8
	9	Signed-off-by: Jeremy Allison <jra@samba.org>
	10	Reviewed-by: Michael Adam <obnox@samba.org>
	11	---
	12	source3/smbd/trans2.c \| 28 ++++++++++++++++++++++++++++
	13	1 file changed, 28 insertions(+)
	14
	15	diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
	16	index 26b6523..7f47579 100644
	17	--- a/source3/smbd/trans2.c
	18	+++ b/source3/smbd/trans2.c
	19	@@ -51,6 +51,34 @@ static char store_file_unix_basic_info2(connection_struct conn,
	20	files_struct *fsp,
	21	const SMB_STRUCT_STAT *psbuf);
	22
	23	+/****************************************************************************
	24	+ Check if an open file handle or pathname is a symlink.
	25	+****************************************************************************/
	26	+
	27	+static NTSTATUS refuse_symlink(connection_struct *conn,
	28	+ const files_struct *fsp,
	29	+ const char *name)
	30	+{
	31	+ SMB_STRUCT_STAT sbuf;
	32	+ const SMB_STRUCT_STAT *pst = NULL;
	33	+
	34	+ if (fsp) {
	35	+ pst = &fsp->fsp_name->st;
	36	+ } else {
	37	+ int ret = vfs_stat_smb_fname(conn,
	38	+ name,
	39	+ &sbuf);
	40	+ if (ret == -1) {
	41	+ return map_nt_error_from_unix(errno);
	42	+ }
	43	+ pst = &sbuf;
	44	+ }
	45	+ if (S_ISLNK(pst->st_ex_mode)) {
	46	+ return NT_STATUS_ACCESS_DENIED;
	47	+ }
	48	+ return NT_STATUS_OK;
	49	+}
	50	+
	51	/********************************************************************
	52	Roundup a value to the nearest allocation roundup size boundary.
	53	Only do this for Windows clients.
	54	--
	55	2.5.0
	56
	57
	58	From f5b1bcc51e18bc85f376701bb4ae6894d97addfd Mon Sep 17 00:00:00 2001
	59	From: Jeremy Allison <jra@samba.org>
	60	Date: Tue, 5 Jan 2016 10:38:28 -0800
	61	Subject: [PATCH 2/8] CVE-2015-7560: s3: smbd: Refuse to get an ACL from a
	62	POSIX file handle on a symlink.
	63
	64	BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
65
66	Signed-off-by: Jeremy Allison <jra@samba.org>
67	Reviewed-by: Michael Adam <obnox@samba.org>
68	---
69	source3/smbd/nttrans.c \| 6 ++++++
70	1 file changed, 6 insertions(+)
71
72	diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
73	index 4c145e0..7255600 100644
74	--- a/source3/smbd/nttrans.c
75	+++ b/source3/smbd/nttrans.c
76	@@ -1925,6 +1925,12 @@ NTSTATUS smbd_do_query_security_desc(connection_struct *conn,
77	return NT_STATUS_ACCESS_DENIED;
78	}
79
80	+ if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
81	+ DEBUG(10, ("ACL get on symlink %s denied.\n",
82	+ fsp_str_dbg(fsp)));
83	+ return NT_STATUS_ACCESS_DENIED;
84	+ }
85	+
86	if (security_info_wanted & (SECINFO_DACL\|SECINFO_OWNER\|
87	SECINFO_GROUP\|SECINFO_SACL)) {
88	/* Don't return SECINFO_LABEL if anything else was
89	--
90	2.5.0
91
92
93	From 8bdbe1c90c98efbd08fc70d773d236c4ba00b1ae Mon Sep 17 00:00:00 2001
94	From: Jeremy Allison <jra@samba.org>
95	Date: Tue, 5 Jan 2016 10:52:50 -0800
96	Subject: [PATCH 3/8] CVE-2015-7560: s3: smbd: Refuse to set an ACL from a
97	POSIX file handle on a symlink.
98
99	BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
100
101	Signed-off-by: Jeremy Allison <jra@samba.org>
102	Reviewed-by: Michael Adam <obnox@samba.org>
103	---
104	source3/smbd/nttrans.c \| 6 ++++++
105	1 file changed, 6 insertions(+)
106
107	diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
108	index 7255600..d2102ca 100644
109	--- a/source3/smbd/nttrans.c
110	+++ b/source3/smbd/nttrans.c
111	@@ -877,6 +877,12 @@ NTSTATUS set_sd(files_struct fsp, struct security_descriptor psd,
112	return NT_STATUS_OK;
113	}
114
115	+ if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
116	+ DEBUG(10, ("ACL set on symlink %s denied.\n",
117	+ fsp_str_dbg(fsp)));
118	+ return NT_STATUS_ACCESS_DENIED;
119	+ }
120	+
121	if (psd->owner_sid == NULL) {
122	security_info_sent &= ~SECINFO_OWNER;
123	}
124	--
125	2.5.0
126
127
128	From 612b032e2dedd3e07bbe79718ecbb3b68ffbb7a5 Mon Sep 17 00:00:00 2001
129	From: Jeremy Allison <jra@samba.org>
130	Date: Tue, 5 Jan 2016 11:22:12 -0800
131	Subject: [PATCH 4/8] CVE-2015-7560: s3: smbd: Refuse to set a POSIX ACL on a
132	symlink.
133
134	BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
135
136	Signed-off-by: Jeremy Allison <jra@samba.org>
137	Reviewed-by: Michael Adam <obnox@samba.org>
138	---
139	source3/smbd/trans2.c \| 6 ++++++
140	1 file changed, 6 insertions(+)
141
142	diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
143	index 7f47579..2f01e87 100644
144	--- a/source3/smbd/trans2.c
145	+++ b/source3/smbd/trans2.c
146	@@ -6480,6 +6480,7 @@ static NTSTATUS smb_set_posix_acl(connection_struct *conn,
147	uint16 num_def_acls;
148	bool valid_file_acls = True;
149	bool valid_def_acls = True;
150	+ NTSTATUS status;
151
152	if (total_data < SMB_POSIX_ACL_HEADER_SIZE) {
153	return NT_STATUS_INVALID_PARAMETER;
154	@@ -6507,6 +6508,11 @@ static NTSTATUS smb_set_posix_acl(connection_struct *conn,
155	return NT_STATUS_INVALID_PARAMETER;
156	}
157
158	+ status = refuse_symlink(conn, fsp, smb_fname->base_name);
159	+ if (!NT_STATUS_IS_OK(status)) {
160	+ return status;
161	+ }
162	+
163	DEBUG(10,("smb_set_posix_acl: file %s num_file_acls = %u, num_def_acls = %u\n",
164	smb_fname ? smb_fname_str_dbg(smb_fname) : fsp_str_dbg(fsp),
165	(unsigned int)num_file_acls,
166	--
167	2.5.0
168
169
170	From 28e6120d14e5a942df386db0444abaa93a764207 Mon Sep 17 00:00:00 2001
171	From: Jeremy Allison <jra@samba.org>
172	Date: Tue, 5 Jan 2016 11:24:36 -0800
173	Subject: [PATCH 5/8] CVE-2015-7560: s3: smbd: Refuse to get a POSIX ACL on a
174	symlink.
175
176	BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
177
178	Signed-off-by: Jeremy Allison <jra@samba.org>
179	Reviewed-by: Michael Adam <obnox@samba.org>
180	---
181	source3/smbd/trans2.c \| 7 +++++++
182	1 file changed, 7 insertions(+)
183
184	diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
185	index 2f01e87..3a098d1 100644
186	--- a/source3/smbd/trans2.c
187	+++ b/source3/smbd/trans2.c
188	@@ -4959,6 +4959,13 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn,
189	uint16 num_file_acls = 0;
190	uint16 num_def_acls = 0;
191
192	+ status = refuse_symlink(conn,
193	+ fsp,
194	+ smb_fname->base_name);
195	+ if (!NT_STATUS_IS_OK(status)) {
196	+ return status;
197	+ }
198	+
199	if (fsp && fsp->fh->fd != -1) {
200	file_acl = SMB_VFS_SYS_ACL_GET_FD(fsp);
201	} else {
202	--
203	2.5.0
204
205
206	From 659bdb80aa65c02cf4f44377cc3bcffb2a817ee0 Mon Sep 17 00:00:00 2001
207	From: Jeremy Allison <jra@samba.org>
208	Date: Tue, 5 Jan 2016 11:05:48 -0800
209	Subject: [PATCH 6/8] CVE-2015-7560: s3: smbd: Set return values early, allows
210	removal of code duplication.
211
212	BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
213
214	Signed-off-by: Jeremy Allison <jra@samba.org>
215	Reviewed-by: Michael Adam <obnox@samba.org>
216	---
217	source3/smbd/trans2.c \| 13 +++++--------
218	1 file changed, 5 insertions(+), 8 deletions(-)
219
220	diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
221	index 3a098d1..6fdd1da 100644
222	--- a/source3/smbd/trans2.c
223	+++ b/source3/smbd/trans2.c
224	@@ -210,11 +210,12 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX mem_ctx, connection_struct conn,
225	size_t num_names;
226	ssize_t sizeret = -1;
227
228	+ if (pnames) {
229	+ *pnames = NULL;
230	+ }
231	+ *pnum_names = 0;
232	+
233	if (!lp_ea_support(SNUM(conn))) {
234	- if (pnames) {
235	- *pnames = NULL;
236	- }
237	- *pnum_names = 0;
238	return NT_STATUS_OK;
239	}
240
241	@@ -264,10 +265,6 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX mem_ctx, connection_struct conn,
242
243	if (sizeret == 0) {
244	TALLOC_FREE(names);
245	- if (pnames) {
246	- *pnames = NULL;
247	- }
248	- *pnum_names = 0;
249	return NT_STATUS_OK;
250	}
251
252	--
253	2.5.0
254
255
256	From 4ba5e7cf01b8074b0313ecb7e218355d771df1cc Mon Sep 17 00:00:00 2001
257	From: Jeremy Allison <jra@samba.org>
258	Date: Tue, 5 Jan 2016 11:29:38 -0800
259	Subject: [PATCH 7/8] CVE-2015-7560: s3: smbd: Silently return no EA's
260	available on a symlink.
261
262	BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
263
264	Signed-off-by: Jeremy Allison <jra@samba.org>
265	Reviewed-by: Michael Adam <obnox@samba.org>
266	---
267	source3/smbd/trans2.c \| 9 +++++++++
268	1 file changed, 9 insertions(+)
269
270	diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
271	index 6fdd1da..8b6e4b2 100644
272	--- a/source3/smbd/trans2.c
273	+++ b/source3/smbd/trans2.c
274	@@ -209,6 +209,7 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX mem_ctx, connection_struct conn,
275	char names, tmp;
276	size_t num_names;
277	ssize_t sizeret = -1;
278	+ NTSTATUS status;
279
280	if (pnames) {
281	*pnames = NULL;
282	@@ -219,6 +220,14 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX mem_ctx, connection_struct conn,
283	return NT_STATUS_OK;
284	}
285
286	+ status = refuse_symlink(conn, fsp, fname);
287	+ if (!NT_STATUS_IS_OK(status)) {
288	+ /*
289	+ * Just return no EA's on a symlink.
290	+ */
291	+ return NT_STATUS_OK;
292	+ }
293	+
294	/*
295	* TALLOC the result early to get the talloc hierarchy right.
296	*/
297	--
298	2.5.0
299
300
301	From 9d8c7274ab87a0c07367e872ca1db7fd72886fde Mon Sep 17 00:00:00 2001
302	From: Jeremy Allison <jra@samba.org>
303	Date: Tue, 5 Jan 2016 11:33:48 -0800
304	Subject: [PATCH 8/8] CVE-2015-7560: s3: smbd: Refuse to set EA's on a symlink.
305
306	BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
307
308	Signed-off-by: Jeremy Allison <jra@samba.org>
309	Reviewed-by: Michael Adam <obnox@samba.org>
310	---
311	source3/smbd/trans2.c \| 7 +++++++
312	1 file changed, 7 insertions(+)
313
314	diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
315	index 8b6e4b2..98fd2af 100644
316	--- a/source3/smbd/trans2.c
317	+++ b/source3/smbd/trans2.c
318	@@ -584,6 +584,7 @@ NTSTATUS set_ea(connection_struct conn, files_struct fsp,
319	const struct smb_filename smb_fname, struct ea_list ea_list)
320	{
321	char *fname = NULL;
322	+ NTSTATUS status;
323
324	if (!lp_ea_support(SNUM(conn))) {
325	return NT_STATUS_EAS_NOT_SUPPORTED;
326	@@ -593,6 +594,12 @@ NTSTATUS set_ea(connection_struct conn, files_struct fsp,
327	return NT_STATUS_ACCESS_DENIED;
328	}
329
330	+ status = refuse_symlink(conn, fsp, smb_fname->base_name);
331	+ if (!NT_STATUS_IS_OK(status)) {
332	+ return status;
333	+ }
334	+
335	+
336	/* For now setting EAs on streams isn't supported. */
337	fname = smb_fname->base_name;
338
339	--
340	2.5.0
341