openwrtv4/package/network/services/samba36/patches/010-patch-cve-2015-5252.patch

From 2e94b6ec10f1d15e24867bab3063bb85f173406a Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 9 Jul 2015 10:58:11 -0700
Subject: [PATCH] CVE-2015-5252: s3: smbd: Fix symlink verification (file
 access outside the share).

Ensure matching component ends in '/' or '\0'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11395

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
---
 source3/smbd/vfs.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c
index 6c56964..bd93b7f 100644
--- a/source3/smbd/vfs.c
+++ b/source3/smbd/vfs.c
@@ -982,6 +982,7 @@ NTSTATUS check_reduced_name(connection_struct *conn, const char *fname)
 	if (!allow_widelinks || !allow_symlinks) {
 		const char *conn_rootdir;
 		size_t rootdir_len;
+		bool matched;
 
 		conn_rootdir = SMB_VFS_CONNECTPATH(conn, fname);
 		if (conn_rootdir == NULL) {
@@ -992,8 +993,10 @@ NTSTATUS check_reduced_name(connection_struct *conn, const char *fname)
 		}
 
 		rootdir_len = strlen(conn_rootdir);
-		if (strncmp(conn_rootdir, resolved_name,
-				rootdir_len) != 0) {
+		matched = (strncmp(conn_rootdir, resolved_name,
+				rootdir_len) == 0);
+		if (!matched || (resolved_name[rootdir_len] != '/' &&
+				 resolved_name[rootdir_len] != '\0')) {
 			DEBUG(2, ("check_reduced_name: Bad access "
 				"attempt: %s is a symlink outside the "
 				"share path\n", fname));
-- 
2.5.0
samba36: add three CVE patches from 2015-12-16 This is a patch for CVE-2015-5252, CVE-2015-5296 and CVE-2015-5299. A patchset for these vulnerabilities was published on 16th December 2015. Signed-off-by: Jan Čermák <jan.cermak@nic.cz> SVN-Revision: 48133 2016-01-05 10:42:52 +00:00			`From 2e94b6ec10f1d15e24867bab3063bb85f173406a Mon Sep 17 00:00:00 2001`
			`From: Jeremy Allison <jra@samba.org>`
			`Date: Thu, 9 Jul 2015 10:58:11 -0700`
			`Subject: [PATCH] CVE-2015-5252: s3: smbd: Fix symlink verification (file`
			`access outside the share).`

			`Ensure matching component ends in '/' or '\0'.`

			`BUG: https://bugzilla.samba.org/show_bug.cgi?id=11395`

			`Signed-off-by: Jeremy Allison <jra@samba.org>`
			`Reviewed-by: Volker Lendecke <vl@samba.org>`
			`---`
			`source3/smbd/vfs.c \| 7 +++++--`
			`1 file changed, 5 insertions(+), 2 deletions(-)`

			`diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c`
			`index 6c56964..bd93b7f 100644`
			`--- a/source3/smbd/vfs.c`
			`+++ b/source3/smbd/vfs.c`
			`@@ -982,6 +982,7 @@ NTSTATUS check_reduced_name(connection_struct conn, const char fname)`
			`if (!allow_widelinks \|\| !allow_symlinks) {`
			`const char *conn_rootdir;`
			`size_t rootdir_len;`
			`+ bool matched;`

			`conn_rootdir = SMB_VFS_CONNECTPATH(conn, fname);`
			`if (conn_rootdir == NULL) {`
			`@@ -992,8 +993,10 @@ NTSTATUS check_reduced_name(connection_struct conn, const char fname)`
			`}`

			`rootdir_len = strlen(conn_rootdir);`
			`- if (strncmp(conn_rootdir, resolved_name,`
			`- rootdir_len) != 0) {`
			`+ matched = (strncmp(conn_rootdir, resolved_name,`
			`+ rootdir_len) == 0);`
			`+ if (!matched \|\| (resolved_name[rootdir_len] != '/' &&`
			`+ resolved_name[rootdir_len] != '\0')) {`
			`DEBUG(2, ("check_reduced_name: Bad access "`
			`"attempt: %s is a symlink outside the "`
			`"share path\n", fname));`
			`--`
			`2.5.0`