s3: smbd: Sanitize any "server" and "share" components of SMB1 DFS paths to remove...

(Back-ported from commit 20df26b908182f0455f301a51aeb54b6044af580)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15419

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(v4-17-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-17-test): Mon Aug 14 09:27:37 UTC 2023 on sn-devel-184

diff --git a/source3/smbd/smb2_reply.c b/source3/smbd/smb2_reply.c
index 0303db428f255c5093fde5f56cde8b9d8c92ca79..abd9b928b7e68d74e5ae35f0d6ea613fffa4bf0f 100644 (file)
--- a/source3/smbd/smb2_reply.c
+++ b/source3/smbd/smb2_reply.c
@@ -335,6 +335,7 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
                char *share = NULL;
                char *remaining_path = NULL;
                char path_sep = 0;
+               char *p = NULL;
 
                if (posix_pathnames && (dst[0] == '/')) {
                        path_sep = dst[0];
@@ -385,6 +386,16 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
                if (share == NULL) {
                        goto local_path;
                }
+               /*
+                * Ensure the server name does not contain
+                * any possible path components by converting
+                * them to _'s.
+                */
+               for (p = server + 1; p < share; p++) {
+                       if (*p == '/' || *p == '\\') {
+                               *p = '_';
+                       }
+               }
                /*
                 * It's a well formed DFS path with
                 * at least server and share components.
@@ -399,6 +410,16 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
                 */
                remaining_path = strchr(share+1, path_sep);
                if (remaining_path == NULL) {
+                       /*
+                        * Ensure the share name does not contain
+                        * any possible path components by converting
+                        * them to _'s.
+                        */
+                       for (p = share + 1; *p; p++) {
+                               if (*p == '/' || *p == '\\') {
+                                       *p = '_';
+                               }
+                       }
                        /*
                         * If no remaining path this was
                         * a bare /server/share path. Just return.
@@ -406,6 +427,16 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
                        *err = NT_STATUS_OK;
                        return ret;
                }
+               /*
+                * Ensure the share name does not contain
+                * any possible path components by converting
+                * them to _'s.
+                */
+               for (p = share + 1; p < remaining_path; p++) {
+                       if (*p == '/' || *p == '\\') {
+                               *p = '_';
+                       }
+               }
                *remaining_path = '/';
                dst = remaining_path + 1;
                /* dst now points at any following components. */