From: Volker Lendecke <vl@samba.org>
Date: Mon, 17 Oct 2022 16:06:02 +0000 (+0200)
Subject: CVE-2022-3592 smbd: No empty path components in openat_pathref_dirfsp_nosymlink()
X-Git-Tag: talloc-2.4.0~654
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dc650bde6f97ea63d6105ead874b0249307db13b;p=thirdparty%2Fsamba.git

CVE-2022-3592 smbd: No empty path components in openat_pathref_dirfsp_nosymlink()

Upper layers must have filtered this, everything else is a bug

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15207
Signed-off-by: Volker Lendecke <vl@samba.org>
---

diff --git a/source3/smbd/files.c b/source3/smbd/files.c
index 87c1f0f6301..64297f18773 100644
--- a/source3/smbd/files.c
+++ b/source3/smbd/files.c
@@ -817,6 +817,12 @@ NTSTATUS openat_pathref_dirfsp_nosymlink(
 
 		next = strv_next(path, rel_fname.base_name);
 
+		/*
+		 * Path sanitizing further up has cleaned or rejected
+		 * empty path components. Assert this here.
+		 */
+		SMB_ASSERT(rel_fname.base_name[0] != '\0');
+
 		if (ISDOT(rel_fname.base_name) ||
 		    ISDOTDOT(rel_fname.base_name)) {
 			DBG_DEBUG("%s contains a dot\n", path_in);