sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-26 21:57:41 +03:00
Code

s3: smbd: Use separate flag to track become_root()/unbecome_root() state.

Browse Source 
Early function exit can mean backup_priv is set but we haven't called
become_root(). *Lots* of work by the reviewers went in to checking this
isn't a security issue.

Found by Codenomicon at the Redmond plugfest.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11339

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jun 25 22:14:58 CEST 2015 on sn-devel-104
This commit is contained in:
Jeremy Allison 2015-06-17 10:23:30 -07:00
parent c0364fa075
commit e2c4b8967d
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
source3/smbd/trans2.c
View File

@ -2474,6 +2474,7 @@ static void call_trans2findfirst(connection_struct *conn,
struct smbd_server_connection *sconn = req->sconn;
uint32_t ucf_flags = (UCF_SAVE_LCOMP | UCF_ALWAYS_ALLOW_WCARD_LCOMP);
bool backup_priv = false;
bool as_root = false;
if (total_params < 13) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
@ -2539,6 +2540,7 @@ close_if_end = %d requires_resume_key = %d backup_priv = %d level = 0x%x, max_da
if (backup_priv) {
become_root();
as_root = true;
ntstatus = filename_convert_with_privilege(ctx,
conn,
req,
@ -2809,7 +2811,7 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd
}
out:
if (backup_priv) {
if (as_root) {
unbecome_root();
}
@ -2863,6 +2865,7 @@ static void call_trans2findnext(connection_struct *conn,
struct dptr_struct *dirptr;
struct smbd_server_connection *sconn = req->sconn;
bool backup_priv = false;
bool as_root = false;
if (total_params < 13) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
@ -3036,6 +3039,7 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd
if (backup_priv) {
become_root();
as_root = true;
}
/*
@ -3137,7 +3141,7 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd
dptr_close(sconn, &dptr_num); /* This frees up the saved mask */
}
if (backup_priv) {
if (as_root) {
unbecome_root();
}