| Revision | aaf1e07ac554b9674bf22394911ec8dd3a927826 (tree) |
|---|---|
| Zeit | 2006-05-08 04:11:33 |
| Autor | Olaf Kirch <okir@suse...> |
| Commiter | Willy TARREAU |
[PATCH] smbfs chroot issue (CVE-2006-1864)
Mark Moseley reported that a chroot environment on a SMB share can be
left via "cd ..\\". Similar to CVE-2006-1863 issue with cifs, this fix
is for smbfs.
Steven French <sfrench@us.ibm.com> wrote:
Looks fine to me. This should catch the slash on lookup or equivalent,
which will be all obvious paths of interest.
Back-ported to 2.4 by Willy Tarreau.
Signed-off-by: Willy Tarreau <willy@w.ods.org>
fs/smbfs/dir.c (diff)| @@ -416,6 +416,11 @@ smb_lookup(struct inode *dir, struct dentry *dentry) | ||
| 416 | 416 | if (dentry->d_name.len > SMB_MAXNAMELEN) |
| 417 | 417 | goto out; |
| 418 | 418 | |
| 419 | + /* Do not allow lookup of names with backslashes in */ | |
| 420 | + error = -EINVAL; | |
| 421 | + if (memchr(dentry->d_name.name, '\\', dentry->d_name.len)) | |
| 422 | + goto out; | |
| 423 | + | |
| 419 | 424 | error = smb_proc_getattr(dentry, &finfo); |
| 420 | 425 | #ifdef SMBFS_PARANOIA |
| 421 | 426 | if (error && error != -ENOENT) |
Linux Kernel Documents
Fork