[SCM] Samba Shared Repository - branch master updated
Ralph Böhme
slow at samba.org
Wed Jul 28 15:08:01 UTC 2021
The branch, master has been updated
via 2acad276860 s3: smbd: Don't leak meta-data about the containing directory of the share root.
via b004ebb1c62 s3: smbd: Allow async dosmode to cope with ".." pathnames where we close smb_fname->fsp to prevent meta-data leakage.
from 696972c832c selftest: Remove fips env variables from client env
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 2acad27686074029ac83c66b42bb37eea380f449
Author: Jeremy Allison <jra at samba.org>
Date: Wed Jul 14 19:11:05 2021 -0700
s3: smbd: Don't leak meta-data about the containing directory of the share root.
This is a subtle one. In smbd_dirptr_get_entry() we now
open a pathref fsp on all entries - including "..".
If we're at the root of the share we don't want
a handle to the directory above it, so silently
close the smb_fname->fsp for ".." names to prevent
it from being used to return meta-data to the client
(more than we already have done historically by
calling pathname functions on "..").
The marshalling returned entries and async DOS
code copes with smb_fname->fsp == NULL perfectly
well.
Only in master, but will need fixing for 4.15.rc1
or 2.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14759
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Jul 28 15:07:54 UTC 2021 on sn-devel-184
commit b004ebb1c62742346b84ecb9d52c783173528fac
Author: Jeremy Allison <jra at samba.org>
Date: Wed Jul 14 21:30:09 2021 -0700
s3: smbd: Allow async dosmode to cope with ".." pathnames where we close smb_fname->fsp to prevent meta-data leakage.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14759
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/smbd/dir.c | 25 +++++++++++++++++++++++++
source3/smbd/dosmode.c | 23 ++++++++++++++---------
2 files changed, 39 insertions(+), 9 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
index 127e4b0d08d..4c807c3f85c 100644
--- a/source3/smbd/dir.c
+++ b/source3/smbd/dir.c
@@ -946,6 +946,31 @@ bool smbd_dirptr_get_entry(TALLOC_CTX *ctx,
continue;
}
+ /*
+ * Don't leak metadata about the containing
+ * directory of the share.
+ */
+ if (dirptr_path_is_dot && ISDOTDOT(dname)) {
+ /*
+ * Making a copy here, then freeing
+ * the original will close the smb_fname->fsp.
+ */
+ struct smb_filename *tmp_smb_fname =
+ cp_smb_filename(ctx, smb_fname);
+
+ if (tmp_smb_fname == NULL) {
+ TALLOC_FREE(atname);
+ TALLOC_FREE(smb_fname);
+ TALLOC_FREE(dname);
+ TALLOC_FREE(fname);
+ return false;
+ }
+ TALLOC_FREE(smb_fname);
+ smb_fname = tmp_smb_fname;
+ mode = FILE_ATTRIBUTE_DIRECTORY;
+ get_dosmode = false;
+ }
+
ok = mode_fn(ctx,
private_data,
dirptr->dir_hnd->fsp,
diff --git a/source3/smbd/dosmode.c b/source3/smbd/dosmode.c
index 43c46867122..99cb8607944 100644
--- a/source3/smbd/dosmode.c
+++ b/source3/smbd/dosmode.c
@@ -814,15 +814,20 @@ struct tevent_req *dos_mode_at_send(TALLOC_CTX *mem_ctx,
}
if (smb_fname->fsp == NULL) {
- /*
- * The pathological case where a caller does
- * dos_mode_at_send() and smb_fname points at a
- * symlink in POSIX context. smb_fname->fsp is NULL.
- *
- * FIXME ? Should we move to returning
- * FILE_ATTRIBUTE_REPARSE_POINT here ?
- */
- state->dosmode = FILE_ATTRIBUTE_NORMAL;
+ if (ISDOTDOT(smb_fname->base_name)) {
+ /*
+ * smb_fname->fsp is explicitly closed
+ * for ".." to prevent meta-data leakage.
+ */
+ state->dosmode = FILE_ATTRIBUTE_DIRECTORY;
+ } else {
+ /*
+ * This is a symlink in POSIX context.
+ * FIXME ? Should we move to returning
+ * FILE_ATTRIBUTE_REPARSE_POINT here ?
+ */
+ state->dosmode = FILE_ATTRIBUTE_NORMAL;
+ }
tevent_req_done(req);
return tevent_req_post(req, ev);
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list