smbd: Fix Bug 15221

In 4.17 process_symlink_open() will replace smb_fname_rel->base_name with the
link target relative to the share root. So if the link target ends up in a
subdirectory of a share, we put a target including a slash into the memcache.

Later access will trust the stat cache, passing the target directly to
openat_pathref_fsp() which will panic if it gets a real dirfsp and a relname
with a slash.

Name mangling is not required: Accessing a symlink pointing at a subdirectory
at least 2 levels deep in the share with a wrong upper/lower case combination
reproduces it.

This patch is really a workaround. The "real" fix would be to backport the
patches removing process_symlink_open() from master, but this is a bigger
change.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15221
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(v4-17-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-17-test): Tue Nov  8 09:23:52 UTC 2022 on sn-devel-184

source3/smbd/filename.c

@@ -943,12 +943,16 @@ lookup:
 	}
 
 	if (NT_STATUS_IS_OK(status) && (cache_key.data != NULL)) {
-		DATA_BLOB value = {
-			.data = (uint8_t *)smb_fname_rel->base_name,
-			.length = strlen(smb_fname_rel->base_name) + 1,
-		};
+		const char *slash = strchr_m(smb_fname_rel->base_name, '/');
 
-		memcache_add(NULL, GETREALFILENAME_CACHE, cache_key, value);
+		if (slash == NULL) {
+			DATA_BLOB value = {
+				.data = (uint8_t *)smb_fname_rel->base_name,
+				.length = strlen(smb_fname_rel->base_name) + 1,
+			};
+			memcache_add(
+				NULL, GETREALFILENAME_CACHE, cache_key, value);
+		}
 	}
 
 	TALLOC_FREE(cache_key.data);