OpenWrt – Blame information for rev 1
?pathlinks?
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 1 | office | 1 | From 8e49de7754f7171a58a1f94dee0f1138dbee3c60 Mon Sep 17 00:00:00 2001 |
| 2 | From: Jeremy Allison <jra@samba.org> |
||
| 3 | Date: Fri, 23 Oct 2015 14:54:31 -0700 |
||
| 4 | Subject: [PATCH] CVE-2015-5299: s3-shadow-copy2: fix missing access check on |
||
| 5 | snapdir |
||
| 6 | |||
| 7 | Fix originally from <partha@exablox.com> |
||
| 8 | |||
| 9 | https://bugzilla.samba.org/show_bug.cgi?id=11529 |
||
| 10 | |||
| 11 | Signed-off-by: Jeremy Allison <jra@samba.org> |
||
| 12 | Reviewed-by: David Disseldorp <ddiss@samba.org> |
||
| 13 | --- |
||
| 14 | source3/modules/vfs_shadow_copy2.c | 47 ++++++++++++++++++++++++++++++++++++++ |
||
| 15 | 1 file changed, 47 insertions(+) |
||
| 16 | |||
| 17 | --- a/source3/modules/vfs_shadow_copy2.c |
||
| 18 | +++ b/source3/modules/vfs_shadow_copy2.c |
||
| 19 | @@ -21,6 +21,8 @@ |
||
| 20 | |||
| 21 | #include "includes.h" |
||
| 22 | #include "smbd/smbd.h" |
||
| 23 | +#include "smbd/globals.h" |
||
| 24 | +#include "../libcli/security/security.h" |
||
| 25 | #include "system/filesys.h" |
||
| 26 | #include "ntioctl.h" |
||
| 27 | |||
| 28 | @@ -764,6 +766,43 @@ static int shadow_copy2_mkdir(vfs_handle |
||
| 29 | SHADOW2_NEXT(MKDIR, (handle, name, mode), int, -1); |
||
| 30 | } |
||
| 31 | |||
| 32 | +static bool check_access_snapdir(struct vfs_handle_struct *handle, |
||
| 33 | + const char *path) |
||
| 34 | +{ |
||
| 35 | + struct smb_filename smb_fname; |
||
| 36 | + int ret; |
||
| 37 | + NTSTATUS status; |
||
| 38 | + uint32_t access_granted = 0; |
||
| 39 | + |
||
| 40 | + ZERO_STRUCT(smb_fname); |
||
| 41 | + smb_fname.base_name = talloc_asprintf(talloc_tos(), |
||
| 42 | + "%s", |
||
| 43 | + path); |
||
| 44 | + if (smb_fname.base_name == NULL) { |
||
| 45 | + return false; |
||
| 46 | + } |
||
| 47 | + |
||
| 48 | + ret = SMB_VFS_NEXT_STAT(handle, &smb_fname); |
||
| 49 | + if (ret != 0 || !S_ISDIR(smb_fname.st.st_ex_mode)) { |
||
| 50 | + TALLOC_FREE(smb_fname.base_name); |
||
| 51 | + return false; |
||
| 52 | + } |
||
| 53 | + |
||
| 54 | + status = smbd_check_open_rights(handle->conn, |
||
| 55 | + &smb_fname, |
||
| 56 | + SEC_DIR_LIST, |
||
| 57 | + &access_granted); |
||
| 58 | + if (!NT_STATUS_IS_OK(status)) { |
||
| 59 | + DEBUG(0,("user does not have list permission " |
||
| 60 | + "on snapdir %s\n", |
||
| 61 | + smb_fname.base_name)); |
||
| 62 | + TALLOC_FREE(smb_fname.base_name); |
||
| 63 | + return false; |
||
| 64 | + } |
||
| 65 | + TALLOC_FREE(smb_fname.base_name); |
||
| 66 | + return true; |
||
| 67 | +} |
||
| 68 | + |
||
| 69 | static int shadow_copy2_rmdir(vfs_handle_struct *handle, const char *fname) |
||
| 70 | { |
||
| 71 | SHADOW2_NEXT(RMDIR, (handle, name), int, -1); |
||
| 72 | @@ -877,6 +916,7 @@ static int shadow_copy2_get_shadow_copy2 |
||
| 73 | SMB_STRUCT_DIRENT *d; |
||
| 74 | TALLOC_CTX *tmp_ctx = talloc_new(handle->data); |
||
| 75 | char *snapshot; |
||
| 76 | + bool ret; |
||
| 77 | |||
| 78 | snapdir = shadow_copy2_find_snapdir(tmp_ctx, handle); |
||
| 79 | if (snapdir == NULL) { |
||
| 80 | @@ -886,6 +926,13 @@ static int shadow_copy2_get_shadow_copy2 |
||
| 81 | talloc_free(tmp_ctx); |
||
| 82 | return -1; |
||
| 83 | } |
||
| 84 | + ret = check_access_snapdir(handle, snapdir); |
||
| 85 | + if (!ret) { |
||
| 86 | + DEBUG(0,("access denied on listing snapdir %s\n", snapdir)); |
||
| 87 | + errno = EACCES; |
||
| 88 | + talloc_free(tmp_ctx); |
||
| 89 | + return -1; |
||
| 90 | + } |
||
| 91 | |||
| 92 | p = SMB_VFS_NEXT_OPENDIR(handle, snapdir, NULL, 0); |
||
| 93 |