[SCM] Samba Shared Repository - branch v4-17-test updated

Mon Aug 14 09:28:01 UTC 2023

The branch, v4-17-test has been updated
       via  fec913830f5 s3: smbd: Sanitize any "server" and "share" components of SMB1 DFS paths to remove UNIX separators.
      from  3a0ae0c6f01 dcerpc.idl: fix definitions for DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED payload

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-test


- Log -----------------------------------------------------------------
commit fec913830f5e03c221ad08011f79a0ae8eb1eddf
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Jul 27 11:33:12 2023 -0700

    s3: smbd: Sanitize any "server" and "share" components of SMB1 DFS paths to remove UNIX separators.
    
    (Back-ported from commit 20df26b908182f0455f301a51aeb54b6044af580)
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15419
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    
    Autobuild-User(v4-17-test): Jule Anger <janger at samba.org>
    Autobuild-Date(v4-17-test): Mon Aug 14 09:27:37 UTC 2023 on sn-devel-184

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/smb2_reply.c | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/smb2_reply.c b/source3/smbd/smb2_reply.c
index 0303db428f2..abd9b928b7e 100644
--- a/source3/smbd/smb2_reply.c
+++ b/source3/smbd/smb2_reply.c
@@ -335,6 +335,7 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
 		char *share = NULL;
 		char *remaining_path = NULL;
 		char path_sep = 0;
+		char *p = NULL;
 
 		if (posix_pathnames && (dst[0] == '/')) {
 			path_sep = dst[0];
@@ -385,6 +386,16 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
 		if (share == NULL) {
 			goto local_path;
 		}
+		/*
+		 * Ensure the server name does not contain
+		 * any possible path components by converting
+		 * them to _'s.
+		 */
+		for (p = server + 1; p < share; p++) {
+			if (*p == '/' || *p == '\\') {
+				*p = '_';
+			}
+		}
 		/*
 		 * It's a well formed DFS path with
 		 * at least server and share components.
@@ -399,6 +410,16 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
 		 */
 		remaining_path = strchr(share+1, path_sep);
 		if (remaining_path == NULL) {
+			/*
+			 * Ensure the share name does not contain
+			 * any possible path components by converting
+			 * them to _'s.
+			 */
+			for (p = share + 1; *p; p++) {
+				if (*p == '/' || *p == '\\') {
+					*p = '_';
+				}
+			}
 			/*
 			 * If no remaining path this was
 			 * a bare /server/share path. Just return.
@@ -406,6 +427,16 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
 			*err = NT_STATUS_OK;
 			return ret;
 		}
+		/*
+		 * Ensure the share name does not contain
+		 * any possible path components by converting
+		 * them to _'s.
+		 */
+		for (p = share + 1; p < remaining_path; p++) {
+			if (*p == '/' || *p == '\\') {
+				*p = '_';
+			}
+		}
 		*remaining_path = '/';
 		dst = remaining_path + 1;
 		/* dst now points at any following components. */


-- 
Samba Shared Repository

