From: Jeremy Allison <jra@samba.org>
Date: Mon, 5 Dec 2016 22:32:55 +0000 (-0800)
Subject: s3: smbd: Add missing permissions check on destination folder.
X-Git-Tag: samba-4.4.9~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e6b76e8f8f7f6bd38c6f32fa9fad108e73f1e803;p=thirdparty%2Fsamba.git

s3: smbd: Add missing permissions check on destination folder.

Based on code from Michael Zeis <mzeis.quantum@gmail.com>.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12460

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 91b591224ab7f8ea7b4594da9f61efef14353f7f)
---

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 9504d1b3039..3ba61a3b2bc 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -6589,6 +6589,7 @@ NTSTATUS rename_internals_fsp(connection_struct *conn,
 	struct smb_filename *smb_fname_dst = NULL;
 	NTSTATUS status = NT_STATUS_OK;
 	struct share_mode_lock *lck = NULL;
+	uint32_t access_mask = SEC_DIR_ADD_FILE;
 	bool dst_exists, old_is_stream, new_is_stream;
 
 	status = check_name(conn, smb_fname_dst_in->base_name);
@@ -6772,6 +6773,22 @@ NTSTATUS rename_internals_fsp(connection_struct *conn,
 		goto out;
 	}
 
+	/* Do we have rights to move into the destination ? */
+	if (S_ISDIR(fsp->fsp_name->st.st_ex_mode)) {
+		/* We're moving a directory. */
+		access_mask = SEC_DIR_ADD_SUBDIR;
+	}
+	status = check_parent_access(conn,
+				smb_fname_dst,
+				access_mask);
+	if (!NT_STATUS_IS_OK(status)) {
+		DBG_INFO("check_parent_access on "
+			"dst %s returned %s\n",
+			smb_fname_str_dbg(smb_fname_dst),
+			nt_errstr(status));
+		goto out;
+	}
+
 	lck = get_existing_share_mode_lock(talloc_tos(), fsp->file_id);
 
 	/*