From: Jeremy Allison Date: Thu, 15 Jul 2021 02:11:05 +0000 (-0700) Subject: s3: smbd: Don't leak meta-data about the containing directory of the share root. X-Git-Tag: ldb-2.5.0~1044 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2acad27686074029ac83c66b42bb37eea380f449;p=thirdparty%2Fsamba.git s3: smbd: Don't leak meta-data about the containing directory of the share root. This is a subtle one. In smbd_dirptr_get_entry() we now open a pathref fsp on all entries - including "..". If we're at the root of the share we don't want a handle to the directory above it, so silently close the smb_fname->fsp for ".." names to prevent it from being used to return meta-data to the client (more than we already have done historically by calling pathname functions on ".."). The marshalling returned entries and async DOS code copes with smb_fname->fsp == NULL perfectly well. Only in master, but will need fixing for 4.15.rc1 or 2. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14759 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Wed Jul 28 15:07:54 UTC 2021 on sn-devel-184 --- diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c index 127e4b0d08d..4c807c3f85c 100644 --- a/source3/smbd/dir.c +++ b/source3/smbd/dir.c @@ -946,6 +946,31 @@ bool smbd_dirptr_get_entry(TALLOC_CTX *ctx, continue; } + /* + * Don't leak metadata about the containing + * directory of the share. + */ + if (dirptr_path_is_dot && ISDOTDOT(dname)) { + /* + * Making a copy here, then freeing + * the original will close the smb_fname->fsp. + */ + struct smb_filename *tmp_smb_fname = + cp_smb_filename(ctx, smb_fname); + + if (tmp_smb_fname == NULL) { + TALLOC_FREE(atname); + TALLOC_FREE(smb_fname); + TALLOC_FREE(dname); + TALLOC_FREE(fname); + return false; + } + TALLOC_FREE(smb_fname); + smb_fname = tmp_smb_fname; + mode = FILE_ATTRIBUTE_DIRECTORY; + get_dosmode = false; + } + ok = mode_fn(ctx, private_data, dirptr->dir_hnd->fsp,