1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir.

For now, SMB_ASSERT() to exit the server. We will remove
this once the test code is in place.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422

Signed-off-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
Jeremy Allison 2023-07-25 17:41:04 -07:00 committed by Jule Anger
parent a6b66661c7
commit ae476e1c28

View File

@ -542,6 +542,24 @@ struct tevent_req *local_np_connect_send(
return tevent_req_post(req, ev); return tevent_req_post(req, ev);
} }
/*
* Ensure we cannot process a path that exits
* the socket_dir.
*/
if (ISDOTDOT(lower_case_pipename) ||
(strchr(lower_case_pipename, '/')!=NULL))
{
DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n",
lower_case_pipename);
/*
* For now, panic the server until we have
* the test code in place.
*/
SMB_ASSERT(false);
tevent_req_error(req, ENOENT);
return tevent_req_post(req, ev);
}
state->socketpath = talloc_asprintf( state->socketpath = talloc_asprintf(
state, "%s/np/%s", socket_dir, lower_case_pipename); state, "%s/np/%s", socket_dir, lower_case_pipename);
if (tevent_req_nomem(state->socketpath, req)) { if (tevent_req_nomem(state->socketpath, req)) {