The Samba-Bugzilla – Attachment 16681 Details for
Bug 14759
4.15rc can leak meta-data about the directory containing the share path.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for master.
bug-14759-master (text/plain), 3.39 KB, created by
Jeremy Allison
on 2021-07-15 04:43:03 UTC
(
hide
)
Description:
git-am fix for master.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2021-07-15 04:43:03 UTC
Size:
3.39 KB
patch
obsolete
>From b3024c7f8a0ea053e85609674804503ce8ab0420 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Wed, 14 Jul 2021 21:30:09 -0700 >Subject: [PATCH 1/2] s3: smbd: Allow async dosmode to cope with ".." pathnames > where we close smb_fname->fsp to prevent meta-data leakage. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14759 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/smbd/dosmode.c | 23 ++++++++++++++--------- > 1 file changed, 14 insertions(+), 9 deletions(-) > >diff --git a/source3/smbd/dosmode.c b/source3/smbd/dosmode.c >index 43c46867122..99cb8607944 100644 >--- a/source3/smbd/dosmode.c >+++ b/source3/smbd/dosmode.c >@@ -814,15 +814,20 @@ struct tevent_req *dos_mode_at_send(TALLOC_CTX *mem_ctx, > } > > if (smb_fname->fsp == NULL) { >- /* >- * The pathological case where a caller does >- * dos_mode_at_send() and smb_fname points at a >- * symlink in POSIX context. smb_fname->fsp is NULL. >- * >- * FIXME ? Should we move to returning >- * FILE_ATTRIBUTE_REPARSE_POINT here ? >- */ >- state->dosmode = FILE_ATTRIBUTE_NORMAL; >+ if (ISDOTDOT(smb_fname->base_name)) { >+ /* >+ * smb_fname->fsp is explicitly closed >+ * for ".." to prevent meta-data leakage. >+ */ >+ state->dosmode = FILE_ATTRIBUTE_DIRECTORY; >+ } else { >+ /* >+ * This is a symlink in POSIX context. >+ * FIXME ? Should we move to returning >+ * FILE_ATTRIBUTE_REPARSE_POINT here ? >+ */ >+ state->dosmode = FILE_ATTRIBUTE_NORMAL; >+ } > tevent_req_done(req); > return tevent_req_post(req, ev); > } >-- >2.27.0 > > >From beeab559c41a54c3bbf0c6c1a5cf5860e33a0977 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Wed, 14 Jul 2021 19:11:05 -0700 >Subject: [PATCH 2/2] s3: smbd: Don't leak meta-data about the containing > directory of the share root. > >This is a subtle one. In smbd_dirptr_get_entry() we now >open a pathref fsp on all entries - including "..". > >If we're at the root of the share we don't want >a handle to the directory above it, so silently >close the smb_fname->fsp for ".." names to prevent >it from being used to return meta-data to the client >(more than we already have done historically by >calling pathname functions on ".."). > >The marshalling returned entries and async DOS >code copes with smb_fname->fsp == NULL perfectly >well. > >Only in master, but will need fixing for 4.15.rc1 >or 2. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14759 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/smbd/dir.c | 25 +++++++++++++++++++++++++ > 1 file changed, 25 insertions(+) > >diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c >index 127e4b0d08d..4c807c3f85c 100644 >--- a/source3/smbd/dir.c >+++ b/source3/smbd/dir.c >@@ -946,6 +946,31 @@ bool smbd_dirptr_get_entry(TALLOC_CTX *ctx, > continue; > } > >+ /* >+ * Don't leak metadata about the containing >+ * directory of the share. >+ */ >+ if (dirptr_path_is_dot && ISDOTDOT(dname)) { >+ /* >+ * Making a copy here, then freeing >+ * the original will close the smb_fname->fsp. >+ */ >+ struct smb_filename *tmp_smb_fname = >+ cp_smb_filename(ctx, smb_fname); >+ >+ if (tmp_smb_fname == NULL) { >+ TALLOC_FREE(atname); >+ TALLOC_FREE(smb_fname); >+ TALLOC_FREE(dname); >+ TALLOC_FREE(fname); >+ return false; >+ } >+ TALLOC_FREE(smb_fname); >+ smb_fname = tmp_smb_fname; >+ mode = FILE_ATTRIBUTE_DIRECTORY; >+ get_dosmode = false; >+ } >+ > ok = mode_fn(ctx, > private_data, > dirptr->dir_hnd->fsp, >-- >2.27.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
slow
:
review+
Actions:
View
Attachments on
bug 14759
:
16681
|
16709