sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-20 22:50:26 +03:00
Code

CVE-2015-5299: s3-shadow-copy2: fix missing access check on snapdir

Browse Source 
Fix originally from <partha@exablox.com>

https://bugzilla.samba.org/show_bug.cgi?id=11529

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
This commit is contained in:
Jeremy Allison 2015-10-23 14:54:31 -07:00 committed by Karolin Seeger
parent 4278ef25f6
commit 675fd8d771
1 changed files with 45 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
source3/modules/vfs_shadow_copy2.c
View File

@ -30,6 +30,7 @@
*/
#include "includes.h"
#include "smbd/smbd.h"
#include "system/filesys.h"
#include "include/ntioctl.h"
#include "util_tdb.h"
@ -1180,6 +1181,42 @@ static char *have_snapdir(struct vfs_handle_struct *handle,
return NULL;
}
static bool check_access_snapdir(struct vfs_handle_struct *handle,
const char *path)
{
struct smb_filename smb_fname;
int ret;
NTSTATUS status;
ZERO_STRUCT(smb_fname);
smb_fname.base_name = talloc_asprintf(talloc_tos(),
"%s",
path);
if (smb_fname.base_name == NULL) {
return false;
}
ret = SMB_VFS_NEXT_STAT(handle, &smb_fname);
if (ret != 0 || !S_ISDIR(smb_fname.st.st_ex_mode)) {
TALLOC_FREE(smb_fname.base_name);
return false;
}
status = smbd_check_access_rights(handle->conn,
&smb_fname,
false,
SEC_DIR_LIST);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("user does not have list permission "
"on snapdir %s\n",
smb_fname.base_name));
TALLOC_FREE(smb_fname.base_name);
return false;
}
TALLOC_FREE(smb_fname.base_name);
return true;
}
/**
* Find the snapshot directory (if any) for the given
* filename (which is relative to the share).
@ -1329,6 +1366,7 @@ static int shadow_copy2_get_shadow_copy_data(
const char *snapdir;
struct dirent *d;
TALLOC_CTX *tmp_ctx = talloc_stackframe();
bool ret;
snapdir = shadow_copy2_find_snapdir(tmp_ctx, handle, fsp->fsp_name);
if (snapdir == NULL) {
@ -1338,6 +1376,13 @@ static int shadow_copy2_get_shadow_copy_data(
talloc_free(tmp_ctx);
return -1;
}
ret = check_access_snapdir(handle, snapdir);
if (!ret) {
DEBUG(0,("access denied on listing snapdir %s\n", snapdir));
errno = EACCES;
talloc_free(tmp_ctx);
return -1;
}
p = SMB_VFS_NEXT_OPENDIR(handle, snapdir, NULL, 0);