From 5695af65160b285548c50e71b67c9dccf193dc9f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 4 Nov 2022 13:53:21 +0100 Subject: [PATCH] smbd: Fix Bug 15221 In 4.17 process_symlink_open() will replace smb_fname_rel->base_name with the link target relative to the share root. So if the link target ends up in a subdirectory of a share, we put a target including a slash into the memcache. Later access will trust the stat cache, passing the target directly to openat_pathref_fsp() which will panic if it gets a real dirfsp and a relname with a slash. Name mangling is not required: Accessing a symlink pointing at a subdirectory at least 2 levels deep in the share with a wrong upper/lower case combination reproduces it. This patch is really a workaround. The "real" fix would be to backport the patches removing process_symlink_open() from master, but this is a bigger change. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15221 Signed-off-by: Volker Lendecke --- source3/smbd/filename.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c index e7873eb124f..2e03c6a5ab7 100644 --- a/source3/smbd/filename.c +++ b/source3/smbd/filename.c @@ -943,12 +943,16 @@ lookup: } if (NT_STATUS_IS_OK(status) && (cache_key.data != NULL)) { - DATA_BLOB value = { - .data = (uint8_t *)smb_fname_rel->base_name, - .length = strlen(smb_fname_rel->base_name) + 1, - }; - - memcache_add(NULL, GETREALFILENAME_CACHE, cache_key, value); + const char *slash = strchr_m(smb_fname_rel->base_name, '/'); + + if (slash == NULL) { + DATA_BLOB value = { + .data = (uint8_t *)smb_fname_rel->base_name, + .length = strlen(smb_fname_rel->base_name) + 1, + }; + memcache_add( + NULL, GETREALFILENAME_CACHE, cache_key, value); + } } TALLOC_FREE(cache_key.data); -- 2.30.2