From: Jeremy Allison <jra@samba.org>
Date: Mon, 19 Dec 2016 20:13:20 +0000 (-0800)
Subject: CVE-2017-2619: s3: smbd: OpenDir_fsp() use early returns.
X-Git-Tag: samba-4.4.12~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8d8205239b6f08c7b7d1f4a094579b19529fd9ba;p=thirdparty%2Fsamba.git

CVE-2017-2619: s3: smbd: OpenDir_fsp() use early returns.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
---

diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
index 39a6e677738..ea4f1ab6c44 100644
--- a/source3/smbd/dir.c
+++ b/source3/smbd/dir.c
@@ -1706,7 +1706,17 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
 	struct smbd_server_connection *sconn = conn->sconn;
 
 	if (!dirp) {
-		return NULL;
+		goto fail;
+	}
+
+	if (!fsp->is_directory) {
+		errno = EBADF;
+		goto fail;
+	}
+
+	if (fsp->fh->fd == -1) {
+		errno = EBADF;
+		goto fail;
 	}
 
 	dirp->conn = conn;
@@ -1723,18 +1733,16 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
 	}
 	talloc_set_destructor(dirp, smb_Dir_destructor);
 
-	if (fsp->is_directory && fsp->fh->fd != -1) {
-		dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
-		if (dirp->dir != NULL) {
-			dirp->fsp = fsp;
-		} else {
-			DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned "
-				"NULL (%s)\n",
-				dirp->dir_path,
-				strerror(errno)));
-			if (errno != ENOSYS) {
-				return NULL;
-			}
+	dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
+	if (dirp->dir != NULL) {
+		dirp->fsp = fsp;
+	} else {
+		DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned "
+			"NULL (%s)\n",
+			dirp->dir_path,
+			strerror(errno)));
+		if (errno != ENOSYS) {
+			return NULL;
 		}
 	}