CVE-2026-1933: smbd: Add access checks to reparse point operations

On a share marked "read only = yes" and on file handles opened R/O
users can set or delete the reparse point xattrs on files that the
user has write-access in the file system for. Add the required access
checks.

Thanks to Asim Viladi Oglu Manizada for reporting the issue.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15992

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

diff --git a/source3/modules/util_reparse.c b/source3/modules/util_reparse.c
index 60373d7fd4e68c4e41d693e490f7c71ed30e6b93..75aa745e0701edd51a96f210ac5f6a4454b92e68 100644 (file)
--- a/source3/modules/util_reparse.c
+++ b/source3/modules/util_reparse.c
@@ -320,6 +320,14 @@ NTSTATUS fsctl_set_reparse_point(struct files_struct *fsp,
                return NT_STATUS_ACCESS_DENIED;
        }
 
+       if ((fsp->fsp_name->twrp != 0) ||
+           ((fsp->access_mask &
+             (SEC_FILE_WRITE_DATA | SEC_FILE_WRITE_ATTRIBUTE)) == 0))
+       {
+               DBG_DEBUG("Access denied on a readonly handle\n");
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
        status = reparse_buffer_check(in_data,
                                      in_len,
                                      &reparse_tag,
@@ -390,6 +398,14 @@ NTSTATUS fsctl_del_reparse_point(struct files_struct *fsp,
        uint32_t dos_mode;
        int ret;
 
+       if ((fsp->fsp_name->twrp != 0) ||
+           ((fsp->access_mask &
+             (SEC_FILE_WRITE_DATA | SEC_FILE_WRITE_ATTRIBUTE)) == 0))
+       {
+               DBG_DEBUG("Access denied on a readonly handle\n");
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
        status = fsctl_get_reparse_tag(fsp, &existing_tag);
        if (!NT_STATUS_IS_OK(status)) {
                return status;