From f43ecce46a89c6380317fbb5f2ae38f48d3d42c8 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 7 Jul 2020 18:25:23 -0700
Subject: [PATCH] s3: smbd: Ensure change notifies can't get set unless the
 directory handle is open for SEC_DIR_LIST.

Remove knownfail entry.

CVE-2020-14318

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434

Signed-off-by: Jeremy Allison <jra@samba.org>
---
 selftest/knownfail.d/smb2_notify_handle_permissions | 2 --
 source3/smbd/notify.c                               | 8 ++++++++
 2 files changed, 8 insertions(+), 2 deletions(-)
 delete mode 100644 selftest/knownfail.d/smb2_notify_handle_permissions

diff --git a/selftest/knownfail.d/smb2_notify_handle_permissions b/selftest/knownfail.d/smb2_notify_handle_permissions
deleted file mode 100644
index c0ec8fc8153..00000000000
--- a/selftest/knownfail.d/smb2_notify_handle_permissions
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba3.smb2.notify.handle-permissions
-
diff --git a/source3/smbd/notify.c b/source3/smbd/notify.c
index b36a4c0003a..68553686fa2 100644
--- a/source3/smbd/notify.c
+++ b/source3/smbd/notify.c
@@ -289,6 +289,14 @@ NTSTATUS change_notify_create(struct files_struct *fsp,
 	char fullpath[len+1];
 	NTSTATUS status = NT_STATUS_NOT_IMPLEMENTED;
 
+	/*
+	 * Setting a changenotify needs READ/LIST access
+	 * on the directory handle.
+	 */
+	if (!(fsp->access_mask & SEC_DIR_LIST)) {
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
 	if (fsp->notify != NULL) {
 		DEBUG(1, ("change_notify_create: fsp->notify != NULL, "
 			  "fname = %s\n", fsp->fsp_name->base_name));
-- 
2.47.2