44b6a5e549
This is a patch for CVE-2015-5252, CVE-2015-5296 and CVE-2015-5299. A patchset for these vulnerabilities was published on 16th December 2015. Signed-off-by: Jan Čermák <jan.cermak@nic.cz> SVN-Revision: 48133
43 lines
1.4 KiB
Diff
43 lines
1.4 KiB
Diff
From 2e94b6ec10f1d15e24867bab3063bb85f173406a Mon Sep 17 00:00:00 2001
|
|
From: Jeremy Allison <jra@samba.org>
|
|
Date: Thu, 9 Jul 2015 10:58:11 -0700
|
|
Subject: [PATCH] CVE-2015-5252: s3: smbd: Fix symlink verification (file
|
|
access outside the share).
|
|
|
|
Ensure matching component ends in '/' or '\0'.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11395
|
|
|
|
Signed-off-by: Jeremy Allison <jra@samba.org>
|
|
Reviewed-by: Volker Lendecke <vl@samba.org>
|
|
---
|
|
source3/smbd/vfs.c | 7 +++++--
|
|
1 file changed, 5 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c
|
|
index 6c56964..bd93b7f 100644
|
|
--- a/source3/smbd/vfs.c
|
|
+++ b/source3/smbd/vfs.c
|
|
@@ -982,6 +982,7 @@ NTSTATUS check_reduced_name(connection_struct *conn, const char *fname)
|
|
if (!allow_widelinks || !allow_symlinks) {
|
|
const char *conn_rootdir;
|
|
size_t rootdir_len;
|
|
+ bool matched;
|
|
|
|
conn_rootdir = SMB_VFS_CONNECTPATH(conn, fname);
|
|
if (conn_rootdir == NULL) {
|
|
@@ -992,8 +993,10 @@ NTSTATUS check_reduced_name(connection_struct *conn, const char *fname)
|
|
}
|
|
|
|
rootdir_len = strlen(conn_rootdir);
|
|
- if (strncmp(conn_rootdir, resolved_name,
|
|
- rootdir_len) != 0) {
|
|
+ matched = (strncmp(conn_rootdir, resolved_name,
|
|
+ rootdir_len) == 0);
|
|
+ if (!matched || (resolved_name[rootdir_len] != '/' &&
|
|
+ resolved_name[rootdir_len] != '\0')) {
|
|
DEBUG(2, ("check_reduced_name: Bad access "
|
|
"attempt: %s is a symlink outside the "
|
|
"share path\n", fname));
|
|
--
|
|
2.5.0
|