From: Jeremy Allison <jra@samba.org>
Date: Tue, 5 Jan 2016 18:38:28 +0000 (-0800)
Subject: CVE-2015-7560: s3: smbd: Refuse to get an ACL from a POSIX file handle on a symlink.
X-Git-Tag: samba-4.1.23~29
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7f893ff4e635fd42ab5d02b0ef3504b899f79d04;p=thirdparty%2Fsamba.git

CVE-2015-7560: s3: smbd: Refuse to get an ACL from a POSIX file handle on a symlink.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
---

diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 131009b14c3..5a6a784b16d 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -1912,6 +1912,13 @@ NTSTATUS smbd_do_query_security_desc(connection_struct *conn,
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
+	if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
+		DEBUG(10, ("ACL get on symlink %s denied.\n",
+			fsp_str_dbg(fsp)));
+		TALLOC_FREE(frame);
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
 	if (security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|
 			SECINFO_GROUP|SECINFO_SACL)) {
 		/* Don't return SECINFO_LABEL if anything else was