From b3024c7f8a0ea053e85609674804503ce8ab0420 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 14 Jul 2021 21:30:09 -0700 Subject: [PATCH 1/2] s3: smbd: Allow async dosmode to cope with ".." pathnames where we close smb_fname->fsp to prevent meta-data leakage. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14759 Signed-off-by: Jeremy Allison --- source3/smbd/dosmode.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/source3/smbd/dosmode.c b/source3/smbd/dosmode.c index 43c46867122..99cb8607944 100644 --- a/source3/smbd/dosmode.c +++ b/source3/smbd/dosmode.c @@ -814,15 +814,20 @@ struct tevent_req *dos_mode_at_send(TALLOC_CTX *mem_ctx, } if (smb_fname->fsp == NULL) { - /* - * The pathological case where a caller does - * dos_mode_at_send() and smb_fname points at a - * symlink in POSIX context. smb_fname->fsp is NULL. - * - * FIXME ? Should we move to returning - * FILE_ATTRIBUTE_REPARSE_POINT here ? - */ - state->dosmode = FILE_ATTRIBUTE_NORMAL; + if (ISDOTDOT(smb_fname->base_name)) { + /* + * smb_fname->fsp is explicitly closed + * for ".." to prevent meta-data leakage. + */ + state->dosmode = FILE_ATTRIBUTE_DIRECTORY; + } else { + /* + * This is a symlink in POSIX context. + * FIXME ? Should we move to returning + * FILE_ATTRIBUTE_REPARSE_POINT here ? + */ + state->dosmode = FILE_ATTRIBUTE_NORMAL; + } tevent_req_done(req); return tevent_req_post(req, ev); } -- 2.27.0 From beeab559c41a54c3bbf0c6c1a5cf5860e33a0977 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 14 Jul 2021 19:11:05 -0700 Subject: [PATCH 2/2] s3: smbd: Don't leak meta-data about the containing directory of the share root. This is a subtle one. In smbd_dirptr_get_entry() we now open a pathref fsp on all entries - including "..". If we're at the root of the share we don't want a handle to the directory above it, so silently close the smb_fname->fsp for ".." names to prevent it from being used to return meta-data to the client (more than we already have done historically by calling pathname functions on ".."). The marshalling returned entries and async DOS code copes with smb_fname->fsp == NULL perfectly well. Only in master, but will need fixing for 4.15.rc1 or 2. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14759 Signed-off-by: Jeremy Allison --- source3/smbd/dir.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c index 127e4b0d08d..4c807c3f85c 100644 --- a/source3/smbd/dir.c +++ b/source3/smbd/dir.c @@ -946,6 +946,31 @@ bool smbd_dirptr_get_entry(TALLOC_CTX *ctx, continue; } + /* + * Don't leak metadata about the containing + * directory of the share. + */ + if (dirptr_path_is_dot && ISDOTDOT(dname)) { + /* + * Making a copy here, then freeing + * the original will close the smb_fname->fsp. + */ + struct smb_filename *tmp_smb_fname = + cp_smb_filename(ctx, smb_fname); + + if (tmp_smb_fname == NULL) { + TALLOC_FREE(atname); + TALLOC_FREE(smb_fname); + TALLOC_FREE(dname); + TALLOC_FREE(fname); + return false; + } + TALLOC_FREE(smb_fname); + smb_fname = tmp_smb_fname; + mode = FILE_ATTRIBUTE_DIRECTORY; + get_dosmode = false; + } + ok = mode_fn(ctx, private_data, dirptr->dir_hnd->fsp, -- 2.27.0