From: Jeremy Allison <jra@samba.org>
Date: Wed, 26 Jul 2023 00:41:04 +0000 (-0700)
Subject: CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir.
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=23199e115457e8054c905eedee95ebee114809e0;p=thirdparty%2Fsamba.git

CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir.

For now, SMB_ASSERT() to exit the server. We will remove
this once the test code is in place.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422

Signed-off-by: Jeremy Allison <jra@samba.org>
---

diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c
index 0b323404f06..95228d5d801 100644
--- a/source3/rpc_client/local_np.c
+++ b/source3/rpc_client/local_np.c
@@ -542,6 +542,24 @@ struct tevent_req *local_np_connect_send(
 		return tevent_req_post(req, ev);
 	}
 
+	/*
+	 * Ensure we cannot process a path that exits
+	 * the socket_dir.
+	 */
+	if (ISDOTDOT(lower_case_pipename) ||
+	    (strchr(lower_case_pipename, '/')!=NULL))
+	{
+		DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n",
+			lower_case_pipename);
+		/*
+		 * For now, panic the server until we have
+		 * the test code in place.
+		 */
+		SMB_ASSERT(false);
+		tevent_req_error(req, ENOENT);
+		return tevent_req_post(req, ev);
+	}
+
 	state->socketpath = talloc_asprintf(
 		state, "%s/np/%s", socket_dir, lower_case_pipename);
 	if (tevent_req_nomem(state->socketpath, req)) {