2.4.36-stable kernel tree
Revision | aaf1e07ac554b9674bf22394911ec8dd3a927826 (tree) |
---|---|
Zeit | 2006-05-08 04:11:33 |
Autor | Olaf Kirch <okir@suse...> |
Commiter | Willy TARREAU |
[PATCH] smbfs chroot issue (CVE-2006-1864)
Mark Moseley reported that a chroot environment on a SMB share can be
left via "cd ..\\". Similar to CVE-2006-1863 issue with cifs, this fix
is for smbfs.
Steven French <sfrench@us.ibm.com> wrote:
Looks fine to me. This should catch the slash on lookup or equivalent,
which will be all obvious paths of interest.
Back-ported to 2.4 by Willy Tarreau.
Signed-off-by: Willy Tarreau <willy@w.ods.org>
@@ -416,6 +416,11 @@ smb_lookup(struct inode *dir, struct dentry *dentry) | ||
416 | 416 | if (dentry->d_name.len > SMB_MAXNAMELEN) |
417 | 417 | goto out; |
418 | 418 | |
419 | + /* Do not allow lookup of names with backslashes in */ | |
420 | + error = -EINVAL; | |
421 | + if (memchr(dentry->d_name.name, '\\', dentry->d_name.len)) | |
422 | + goto out; | |
423 | + | |
419 | 424 | error = smb_proc_getattr(dentry, &finfo); |
420 | 425 | #ifdef SMBFS_PARANOIA |
421 | 426 | if (error && error != -ENOENT) |