mirror of
https://github.com/samba-team/samba.git
synced 2025-01-08 21:18:16 +03:00
CVE-2023-4091: smbd: use open_access_mask for access check in open_file()
If the client requested FILE_OVERWRITE[_IF], we're implicitly adding FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the access check we're using access_mask which doesn't contain the additional right, which means we can end up truncating a file for which the user has only read-only access via an SD. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439 Signed-off-by: Ralph Boehme <slow@samba.org>
This commit is contained in:
Ralph Boehme
Jule Anger
parent
b1fd656941
commit
b70f4f8681
@ -1 +0,0 @@
|
||||
^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE
|
||||
@ -1440,7 +1440,7 @@ static NTSTATUS open_file(
|
||||
dirfsp,
|
||||
fsp,
|
||||
false,
|
||||
access_mask);
|
||||
open_access_mask);
|
||||
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DBG_DEBUG("smbd_check_access_rights_fsp"
|
||||
@ -1634,7 +1634,7 @@ static NTSTATUS open_file(
|
||||
status = smbd_check_access_rights_fsp(dirfsp,
|
||||
fsp,
|
||||
false,
|
||||
access_mask);
|
||||
open_access_mask);
|
||||
|
||||
if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND) &&
|
||||
posix_open &&
|
||||
|
||||
Loading…
Reference in New Issue
Block a user