[SCM] Samba Shared Repository - branch v4-6-stable updated

Karolin Seeger kseeger at samba.org
Thu Mar 23 08:51:59 UTC 2017


The branch, v4-6-stable has been updated
       via  1a8f3cf VERSION: Disable GIT_SNAPSHOTS for the 4.6.1 release.
       via  2d44083 WHATSNEW: Add release notes for Samba 4.6.1.
       via  d9475c9 CVE-2017-2619: s3: smbd: Use the new non_widelink_open() function.
       via  22a8d4e CVE-2017-2619: s3: smbd: Add the core functions to prevent symlink open races.
       via  86b913f CVE-2017-2619: s3: smbd: Move special handling of symlink errno's into a utility function.
       via  49edefe CVE-2017-2619: s3: smbd: Remove O_NOFOLLOW guards. We insist on O_NOFOLLOW existing.
       via  7a61eb2 CVE-2017-2619: s3: smbd: Correctly fallback to open_dir_safely if FDOPENDIR not supported on system.
       via  16de606 CVE-2017-2619: s3: smbd: Move the reference counting and destructor setup to just before retuning success.
       via  e558347 CVE-2017-2619: s3: smbd: OpenDir_fsp() - Fix memory leak on error.
       via  a98b3a1 CVE-2017-2619: s3: smbd: OpenDir_fsp() use early returns.
       via  556f7dd CVE-2017-2619: s3: smbd: Create and use open_dir_safely(). Use from OpenDir().
       via  a028e01 CVE-2017-2619: s3: smbd: Opendir_internal() early return if SMB_VFS_OPENDIR failed.
       via  0eae801 CVE-2017-2619: s3: smbd: Create wrapper function for OpenDir in preparation for making robust.
       via  7609944 CVE-2017-2619: s4/torture: add SMB2_FIND tests with SMB2_CONTINUE_FLAG_REOPEN flag
       via  d7644e3 CVE-2017-2619: s3/smbd: re-open directory after dptr_CloseDir()
       via  1325da1 VERSION: Bump version up to 4.6.1...
      from  f17816a VERSION: Disable GIT_SNAPSHOTS for the 4.6.0 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-stable


- Log -----------------------------------------------------------------
commit 1a8f3cfb4ebc21a0889c7692591ae41a46d7dfb2
Author: Karolin Seeger <kseeger at samba.org>
Date:   Fri Mar 17 11:54:34 2017 +0100

    VERSION: Disable GIT_SNAPSHOTS for the 4.6.1 release.
    
    CVE-2017-2619: Symlink race allows access outside share definition.
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

commit 2d44083d28daccdf10934d6badb7a1ef55a90f4b
Author: Karolin Seeger <kseeger at samba.org>
Date:   Fri Mar 17 11:51:42 2017 +0100

    WHATSNEW: Add release notes for Samba 4.6.1.
    
    CVE-2017-2619: Symlink race allows access outside share definition.
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

commit d9475c95d2eb452f2527f351c1b825dfe45e0fae
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Dec 15 13:06:31 2016 -0800

    CVE-2017-2619: s3: smbd: Use the new non_widelink_open() function.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>

commit 22a8d4e802b50a73a78c39d12c33397808debbcd
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Dec 15 13:04:46 2016 -0800

    CVE-2017-2619: s3: smbd: Add the core functions to prevent symlink open races.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>

commit 86b913f59198d1a397f9136c221f74da0ee7f415
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Dec 15 12:56:08 2016 -0800

    CVE-2017-2619: s3: smbd: Move special handling of symlink errno's into a utility function.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>

commit 49edefe2ebd9c43e90d4ff295a3fee65c375607a
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Dec 15 12:52:13 2016 -0800

    CVE-2017-2619: s3: smbd: Remove O_NOFOLLOW guards. We insist on O_NOFOLLOW existing.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>

commit 7a61eb2f964b2930dad423bf23c9697ce2503914
Author: Jeremy Allison <jra at samba.org>
Date:   Mon Dec 19 12:35:32 2016 -0800

    CVE-2017-2619: s3: smbd: Correctly fallback to open_dir_safely if FDOPENDIR not supported on system.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>

commit 16de60625cdc678c5d14020a6557cbac3d3bf13d
Author: Jeremy Allison <jra at samba.org>
Date:   Mon Dec 19 12:32:07 2016 -0800

    CVE-2017-2619: s3: smbd: Move the reference counting and destructor setup to just before retuning success.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>

commit e558347120df675fcf65bd9ddba706405d8af3e9
Author: Jeremy Allison <jra at samba.org>
Date:   Mon Dec 19 12:15:59 2016 -0800

    CVE-2017-2619: s3: smbd: OpenDir_fsp() - Fix memory leak on error.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>

commit a98b3a162160567092773cee82e6b396c9dae2cf
Author: Jeremy Allison <jra at samba.org>
Date:   Mon Dec 19 12:13:20 2016 -0800

    CVE-2017-2619: s3: smbd: OpenDir_fsp() use early returns.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>

commit 556f7dd4a5d245c49ef52ae639c9671245713fe7
Author: Jeremy Allison <jra at samba.org>
Date:   Mon Dec 19 16:35:00 2016 -0800

    CVE-2017-2619: s3: smbd: Create and use open_dir_safely(). Use from OpenDir().
    
    Hardens OpenDir against TOC/TOU races.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>

commit a028e01a2b0126dd61606aa16d98ed4696ccfbab
Author: Jeremy Allison <jra at samba.org>
Date:   Mon Dec 19 16:25:26 2016 -0800

    CVE-2017-2619: s3: smbd: Opendir_internal() early return if SMB_VFS_OPENDIR failed.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>

commit 0eae80125b456419075c6c358f38079402add156
Author: Jeremy Allison <jra at samba.org>
Date:   Mon Dec 19 11:55:56 2016 -0800

    CVE-2017-2619: s3: smbd: Create wrapper function for OpenDir in preparation for making robust.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>

commit 76099445c87fabc8741ee0e3f538452caf67e474
Author: Ralph Boehme <slow at samba.org>
Date:   Sun Mar 19 18:52:10 2017 +0100

    CVE-2017-2619: s4/torture: add SMB2_FIND tests with SMB2_CONTINUE_FLAG_REOPEN flag
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=12496
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>

commit d7644e3588511dbc3ee2a39a019ab898324c3ae5
Author: Ralph Boehme <slow at samba.org>
Date:   Sun Mar 19 15:58:17 2017 +0100

    CVE-2017-2619: s3/smbd: re-open directory after dptr_CloseDir()
    
    dptr_CloseDir() will close and invalidate the fsp's file descriptor, we
    have to reopen it.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=12496
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>

commit 1325da1899fbdce022143558caa86685e45ca91a
Author: Karolin Seeger <kseeger at samba.org>
Date:   Tue Mar 7 10:06:53 2017 +0100

    VERSION: Bump version up to 4.6.1...
    
    and re-enable GIT_SNAPSHOTS.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>
    (cherry picked from commit 074aaeb61ea2f48965becc66df9083628b9a2508)

-----------------------------------------------------------------------

Summary of changes:
 VERSION                             |   2 +-
 WHATSNEW.txt                        |  78 ++++++++-
 source3/smbd/dir.c                  | 161 ++++++++++++++-----
 source3/smbd/open.c                 | 310 +++++++++++++++++++++++++++++++++---
 source3/smbd/smb2_query_directory.c |  17 ++
 source4/torture/smb2/dir.c          |  12 +-
 6 files changed, 511 insertions(+), 69 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 28167de..8632851 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=6
-SAMBA_VERSION_RELEASE=0
+SAMBA_VERSION_RELEASE=1
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 66597bf..02935d7 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,5 +1,79 @@
-Release Announcements
-=====================
+                   =============================
+                   Release Notes for Samba 4.6.1
+                           March 23, 2017
+                   =============================
+
+
+This is a security release in order to address the following defect:
+
+o  CVE-2017-2619 (Symlink race allows access outside share definition)
+
+=======
+Details
+=======
+
+o  CVE-2017-2619:
+   All versions of Samba prior to 4.6.1, 4.5.7, 4.4.11 are vulnerable to
+   a malicious client using a symlink race to allow access to areas of
+   the server file system not exported under the share definition.
+
+   Samba uses the realpath() system call to ensure when a client requests
+   access to a pathname that it is under the exported share path on the
+   server file system.
+
+   Clients that have write access to the exported part of the file system
+   via SMB1 unix extensions or NFS to create symlinks can race the server
+   by renaming a realpath() checked path and then creating a symlink. If
+   the client wins the race it can cause the server to access the new
+   symlink target after the exported share path check has been done. This
+   new symlink target can point to anywhere on the server file system.
+
+   This is a difficult race to win, but theoretically possible. Note that
+   the proof of concept code supplied wins the race reliably only when
+   the server is slowed down using the strace utility running on the
+   server. Exploitation of this bug has not been seen in the wild.
+
+
+Changes since 4.6.0:
+--------------------
+
+o  Jeremy Allison <jra at samba.org>
+   * BUG 12496: CVE-2017-2619: Symlink race permits opening files outside share
+     directory.
+
+o  Ralph Boehme <slow at samba.org>
+   * BUG 12496: CVE-2017-2619: Symlink race permits opening files outside share
+     directory.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+		   ==============================
+                   Release Notes for Samba 4.6.0
+                           March 7, 2017
+                   ==============================
+
 
 This is the first stable release of Samba 4.6.
 Please read the release notes carefully before upgrading.
diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
index 3c6f000..1348d12 100644
--- a/source3/smbd/dir.c
+++ b/source3/smbd/dir.c
@@ -1630,7 +1630,8 @@ static int smb_Dir_destructor(struct smb_Dir *dirp)
  Open a directory.
 ********************************************************************/
 
-struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
+static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
+			connection_struct *conn,
 			const struct smb_filename *smb_dname,
 			const char *mask,
 			uint32_t attr)
@@ -1642,29 +1643,23 @@ struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
 		return NULL;
 	}
 
-	dirp->conn = conn;
-	dirp->name_cache_size = lp_directory_name_cache_size(SNUM(conn));
+	dirp->dir = SMB_VFS_OPENDIR(conn, smb_dname, mask, attr);
 
-	dirp->dir_smb_fname = cp_smb_filename(dirp, smb_dname);
-	if (!dirp->dir_smb_fname) {
-		errno = ENOMEM;
+	if (!dirp->dir) {
+		DEBUG(5,("OpenDir: Can't open %s. %s\n",
+			smb_dname->base_name,
+			strerror(errno) ));
 		goto fail;
 	}
 
+	dirp->conn = conn;
+	dirp->name_cache_size = lp_directory_name_cache_size(SNUM(conn));
+
 	if (sconn && !sconn->using_smb2) {
 		sconn->searches.dirhandles_open++;
 	}
 	talloc_set_destructor(dirp, smb_Dir_destructor);
 
-	dirp->dir = SMB_VFS_OPENDIR(conn, dirp->dir_smb_fname, mask, attr);
-
-	if (!dirp->dir) {
-		DEBUG(5,("OpenDir: Can't open %s. %s\n",
-			dirp->dir_smb_fname->base_name,
-			strerror(errno) ));
-		goto fail;
-	}
-
 	return dirp;
 
   fail:
@@ -1672,6 +1667,87 @@ struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
 	return NULL;
 }
 
+/****************************************************************************
+ Open a directory handle by pathname, ensuring it's under the share path.
+****************************************************************************/
+
+static struct smb_Dir *open_dir_safely(TALLOC_CTX *ctx,
+					connection_struct *conn,
+					const struct smb_filename *smb_dname,
+					const char *wcard,
+					uint32_t attr)
+{
+	struct smb_Dir *dir_hnd = NULL;
+	struct smb_filename *smb_fname_cwd = NULL;
+	char *saved_dir = vfs_GetWd(ctx, conn);
+	NTSTATUS status;
+
+	if (saved_dir == NULL) {
+		return NULL;
+	}
+
+	if (vfs_ChDir(conn, smb_dname->base_name) == -1) {
+		goto out;
+	}
+
+	smb_fname_cwd = synthetic_smb_fname(talloc_tos(),
+					".",
+					NULL,
+					NULL,
+					smb_dname->flags);
+	if (smb_fname_cwd == NULL) {
+		goto out;
+	}
+
+	/*
+	 * Now the directory is pinned, use
+	 * REALPATH to ensure we can access it.
+	 */
+	status = check_name(conn, ".");
+	if (!NT_STATUS_IS_OK(status)) {
+		goto out;
+	}
+
+	dir_hnd = OpenDir_internal(ctx,
+				conn,
+				smb_fname_cwd,
+				wcard,
+				attr);
+
+	if (dir_hnd == NULL) {
+		goto out;
+	}
+
+	/*
+	 * OpenDir_internal only gets "." as the dir name.
+	 * Store the real dir name here.
+	 */
+
+	dir_hnd->dir_smb_fname = cp_smb_filename(dir_hnd, smb_dname);
+	if (!dir_hnd->dir_smb_fname) {
+		TALLOC_FREE(dir_hnd);
+		errno = ENOMEM;
+	}
+
+  out:
+
+	vfs_ChDir(conn, saved_dir);
+	TALLOC_FREE(saved_dir);
+	return dir_hnd;
+}
+
+struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
+			const struct smb_filename *smb_dname,
+			const char *mask,
+			uint32_t attr)
+{
+	return open_dir_safely(mem_ctx,
+				conn,
+				smb_dname,
+				mask,
+				attr);
+}
+
 /*******************************************************************
  Open a directory from an fsp.
 ********************************************************************/
@@ -1685,7 +1761,17 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
 	struct smbd_server_connection *sconn = conn->sconn;
 
 	if (!dirp) {
-		return NULL;
+		goto fail;
+	}
+
+	if (!fsp->is_directory) {
+		errno = EBADF;
+		goto fail;
+	}
+
+	if (fsp->fh->fd == -1) {
+		errno = EBADF;
+		goto fail;
 	}
 
 	dirp->conn = conn;
@@ -1697,40 +1783,33 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
 		goto fail;
 	}
 
-	if (sconn && !sconn->using_smb2) {
-		sconn->searches.dirhandles_open++;
-	}
-	talloc_set_destructor(dirp, smb_Dir_destructor);
-
-	if (fsp->is_directory && fsp->fh->fd != -1) {
-		dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
-		if (dirp->dir != NULL) {
-			dirp->fsp = fsp;
-		} else {
-			DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned "
-				"NULL (%s)\n",
-				dirp->dir_smb_fname->base_name,
-				strerror(errno)));
-			if (errno != ENOSYS) {
-				return NULL;
-			}
+	dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
+	if (dirp->dir != NULL) {
+		dirp->fsp = fsp;
+	} else {
+		DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned "
+			"NULL (%s)\n",
+			dirp->dir_smb_fname->base_name,
+			strerror(errno)));
+		if (errno != ENOSYS) {
+			goto fail;
 		}
 	}
 
 	if (dirp->dir == NULL) {
-		/* FDOPENDIR didn't work. Use OPENDIR instead. */
-		dirp->dir = SMB_VFS_OPENDIR(conn,
-					dirp->dir_smb_fname,
+		/* FDOPENDIR is not supported. Use OPENDIR instead. */
+		TALLOC_FREE(dirp);
+		return open_dir_safely(mem_ctx,
+					conn,
+					fsp->fsp_name,
 					mask,
 					attr);
 	}
 
-	if (!dirp->dir) {
-		DEBUG(5,("OpenDir_fsp: Can't open %s. %s\n",
-			dirp->dir_smb_fname->base_name,
-			strerror(errno) ));
-		goto fail;
+	if (sconn && !sconn->using_smb2) {
+		sconn->searches.dirhandles_open++;
 	}
+	talloc_set_destructor(dirp, smb_Dir_destructor);
 
 	return dirp;
 
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index e0e4705..08d14cb 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -355,6 +355,269 @@ static NTSTATUS check_base_file_access(struct connection_struct *conn,
 }
 
 /****************************************************************************
+ Handle differing symlink errno's
+****************************************************************************/
+
+static int link_errno_convert(int err)
+{
+#if defined(ENOTSUP) && defined(OSF1)
+	/* handle special Tru64 errno */
+	if (err == ENOTSUP) {
+		err = ELOOP;
+	}
+#endif /* ENOTSUP */
+#ifdef EFTYPE
+	/* fix broken NetBSD errno */
+	if (err == EFTYPE) {
+		err = ELOOP;
+	}
+#endif /* EFTYPE */
+	/* fix broken FreeBSD errno */
+	if (err == EMLINK) {
+		err = ELOOP;
+	}
+	return err;
+}
+
+static int non_widelink_open(struct connection_struct *conn,
+			const char *conn_rootdir,
+			files_struct *fsp,
+			struct smb_filename *smb_fname,
+			int flags,
+			mode_t mode,
+			unsigned int link_depth);
+
+/****************************************************************************
+ Follow a symlink in userspace.
+****************************************************************************/
+
+static int process_symlink_open(struct connection_struct *conn,
+			const char *conn_rootdir,
+			files_struct *fsp,
+			struct smb_filename *smb_fname,
+			int flags,
+			mode_t mode,
+			unsigned int link_depth)
+{
+	int fd = -1;
+	char *link_target = NULL;
+	int link_len = -1;
+	char *oldwd = NULL;
+	size_t rootdir_len = 0;
+	char *resolved_name = NULL;
+	bool matched = false;
+	int saved_errno = 0;
+
+	/*
+	 * Ensure we don't get stuck in a symlink loop.
+	 */
+	link_depth++;
+	if (link_depth >= 20) {
+		errno = ELOOP;
+		goto out;
+	}
+
+	/* Allocate space for the link target. */
+	link_target = talloc_array(talloc_tos(), char, PATH_MAX);
+	if (link_target == NULL) {
+		errno = ENOMEM;
+		goto out;
+	}
+
+	/* Read the link target. */
+	link_len = SMB_VFS_READLINK(conn,
+				smb_fname->base_name,
+				link_target,
+				PATH_MAX - 1);
+	if (link_len == -1) {
+		goto out;
+	}
+
+	/* Ensure it's at least null terminated. */
+	link_target[link_len] = '\0';
+
+	/* Convert to an absolute path. */
+	resolved_name = SMB_VFS_REALPATH(conn, link_target);
+	if (resolved_name == NULL) {
+		goto out;
+	}
+
+	/*
+	 * We know conn_rootdir starts with '/' and
+	 * does not end in '/'. FIXME ! Should we
+	 * smb_assert this ?
+	 */
+	rootdir_len = strlen(conn_rootdir);
+
+	matched = (strncmp(conn_rootdir, resolved_name, rootdir_len) == 0);
+	if (!matched) {
+		errno = EACCES;
+		goto out;
+	}
+
+	/*
+	 * Turn into a path relative to the share root.
+	 */
+	if (resolved_name[rootdir_len] == '\0') {
+		/* Link to the root of the share. */
+		smb_fname->base_name = talloc_strdup(talloc_tos(), ".");
+		if (smb_fname->base_name == NULL) {
+			errno = ENOMEM;
+			goto out;
+		}
+	} else if (resolved_name[rootdir_len] == '/') {
+		smb_fname->base_name = &resolved_name[rootdir_len+1];
+	} else {
+		errno = EACCES;
+		goto out;
+	}
+
+	oldwd = vfs_GetWd(talloc_tos(), conn);
+	if (oldwd == NULL) {
+		goto out;
+	}
+
+	/* Ensure we operate from the root of the share. */
+	if (vfs_ChDir(conn, conn_rootdir) == -1) {
+		goto out;
+	}
+
+	/* And do it all again.. */
+	fd = non_widelink_open(conn,
+				conn_rootdir,
+				fsp,
+				smb_fname,
+				flags,
+				mode,
+				link_depth);
+	if (fd == -1) {
+		saved_errno = errno;
+	}
+
+  out:
+
+	SAFE_FREE(resolved_name);
+	TALLOC_FREE(link_target);
+	if (oldwd != NULL) {
+		int ret = vfs_ChDir(conn, oldwd);
+		if (ret == -1) {
+			smb_panic("unable to get back to old directory\n");
+		}
+		TALLOC_FREE(oldwd);
+	}
+	if (saved_errno != 0) {
+		errno = saved_errno;
+	}
+	return fd;
+}
+
+/****************************************************************************
+ Non-widelink open.
+****************************************************************************/
+
+static int non_widelink_open(struct connection_struct *conn,
+			const char *conn_rootdir,
+			files_struct *fsp,
+			struct smb_filename *smb_fname,
+			int flags,
+			mode_t mode,
+			unsigned int link_depth)
+{
+	NTSTATUS status;
+	int fd = -1;
+	struct smb_filename *smb_fname_rel = NULL;
+	int saved_errno = 0;
+	char *oldwd = NULL;
+	char *parent_dir = NULL;
+	const char *final_component = NULL;


-- 
Samba Shared Repository



More information about the samba-cvs mailing list