mirror of
https://github.com/samba-team/samba.git
synced 2025-01-24 02:04:21 +03:00
CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir.
For now, SMB_ASSERT() to exit the server. We will remove this once the test code is in place. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422 Signed-off-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
parent
2576c0275d
commit
84b5d3640f
@ -542,6 +542,24 @@ struct tevent_req *local_np_connect_send(
|
||||
return tevent_req_post(req, ev);
|
||||
}
|
||||
|
||||
/*
|
||||
* Ensure we cannot process a path that exits
|
||||
* the socket_dir.
|
||||
*/
|
||||
if (ISDOTDOT(lower_case_pipename) ||
|
||||
(strchr(lower_case_pipename, '/')!=NULL))
|
||||
{
|
||||
DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n",
|
||||
lower_case_pipename);
|
||||
/*
|
||||
* For now, panic the server until we have
|
||||
* the test code in place.
|
||||
*/
|
||||
SMB_ASSERT(false);
|
||||
tevent_req_error(req, ENOENT);
|
||||
return tevent_req_post(req, ev);
|
||||
}
|
||||
|
||||
state->socketpath = talloc_asprintf(
|
||||
state, "%s/np/%s", socket_dir, lower_case_pipename);
|
||||
if (tevent_req_nomem(state->socketpath, req)) {
|
||||
|
Loading…
x
Reference in New Issue
Block a user