From 1c293060204d96bf94427f91eb20eb9decc29a41 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 11 Aug 2022 09:55:56 -0700 Subject: [PATCH] s3: smbd: Add IS_VETO_PATH check to openat_pathref_dirfsp_nosymlink(). Returns NT_STATUS_OBJECT_PATH_NOT_FOUND for directory component. Note IS_VETO_PATH only looks at the last component, so we must do it during the directory walk on each component. Note, we also have to check after a call to get_real_filename_at() as it may have demangled the client sent name into a filesystem name that matches the "veto files" parameter. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143 Signed-off-by: Jeremy Allison Reviewed-by: Stefan Metzmacher --- source3/smbd/files.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/source3/smbd/files.c b/source3/smbd/files.c index af135d6e95a..a6c41f2b928 100644 --- a/source3/smbd/files.c +++ b/source3/smbd/files.c @@ -817,6 +817,14 @@ NTSTATUS openat_pathref_dirfsp_nosymlink( goto fail; } + /* Check veto files. */ + if (IS_VETO_PATH(conn, rel_fname.base_name)) { + DBG_DEBUG("%s contains veto files path component %s\n", + path_in, rel_fname.base_name); + status = NT_STATUS_OBJECT_PATH_NOT_FOUND; + goto fail; + } + rel_fname.base_name = next; } @@ -903,6 +911,8 @@ next: &how); if ((fd == -1) && (errno == ENOENT)) { + const char *orig_base_name = rel_fname.base_name; + status = get_real_filename_at( dirfsp, rel_fname.base_name, @@ -915,6 +925,14 @@ next: goto fail; } + /* Name might have been demangled - check veto files. */ + if (IS_VETO_PATH(conn, rel_fname.base_name)) { + DBG_DEBUG("%s contains veto files path component %s => %s\n", + path_in, orig_base_name, rel_fname.base_name); + status = NT_STATUS_OBJECT_PATH_NOT_FOUND; + goto fail; + } + fd = SMB_VFS_OPENAT( conn, dirfsp, -- 2.47.3