2025-03-20 22:50:26 +03:00 · 2023-07-27 11:33:12 -07:00 · 2023-07-27 11:33:12 -07:00 · fec913830f
commit fec913830f
parent 3a0ae0c6f0
1 changed files with 31 additions and 0 deletions
--- a/source3/smbd/smb2_reply.c
+++ b/source3/smbd/smb2_reply.c
@ -335,6 +335,7 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
 		char *share = NULL;
 		char *remaining_path = NULL;
 		char path_sep = 0;
+		char *p = NULL;

 		if (posix_pathnames && (dst[0] == '/')) {
 			path_sep = dst[0];
@ -385,6 +386,16 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
 		if (share == NULL) {
 			goto local_path;
 		}
+		/*
+		 * Ensure the server name does not contain
+		 * any possible path components by converting
+		 * them to _'s.
+		 */
+		for (p = server + 1; p < share; p++) {
+			if (*p == '/' || *p == '\\') {
+				*p = '_';
+			}
+		}
 		/*
 		 * It's a well formed DFS path with
 		 * at least server and share components.
@ -399,6 +410,16 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
 		 */
 		remaining_path = strchr(share+1, path_sep);
 		if (remaining_path == NULL) {
+			/*
+			 * Ensure the share name does not contain
+			 * any possible path components by converting
+			 * them to _'s.
+			 */
+			for (p = share + 1; *p; p++) {
+				if (*p == '/' || *p == '\\') {
+					*p = '_';
+				}
+			}
 			/*
 			 * If no remaining path this was
 			 * a bare /server/share path. Just return.
@ -406,6 +427,16 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
 			*err = NT_STATUS_OK;
 			return ret;
 		}
+		/*
+		 * Ensure the share name does not contain
+		 * any possible path components by converting
+		 * them to _'s.
+		 */
+		for (p = share + 1; p < remaining_path; p++) {
+			if (*p == '/' || *p == '\\') {
+				*p = '_';
+			}
+		}
 		*remaining_path = '/';
 		dst = remaining_path + 1;
 		/* dst now points at any following components. */