[PATCH] smbfs chroot issue (CVE-2006-1864)

Mark Moseley reported that a chroot environment on a SMB share can be left via "cd ..\\". Similar to CVE-2006-1863 issue with cifs, this fix is for smbfs. Steven French <sfrench@us.ibm.com> wrote: Looks fine to me. This should catch the slash on lookup or equivalent, which will be all obvious paths of interest. Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>

[PATCH] smbfs chroot issue (CVE-2006-1864)
Mark Moseley reported that a chroot environment on a SMB share can be left via "cd ..\\". Similar to CVE-2006-1863 issue with cifs, this fix is for smbfs. Steven French <sfrench@us.ibm.com> wrote: Looks fine to me. This should catch the slash on lookup or equivalent, which will be all obvious paths of interest. Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Olaf Kirch · Linus Torvalds
1 parent a7b862f663
Showing 1 changed file with 5 additions and 0 deletions Side-by-side Diff
fs/smbfs/dir.c
@@ -434,6 +434,11 @@
 	if (dentry->d_name.len > SMB_MAXNAMELEN)
 		goto out;
  
+	/* Do not allow lookup of names with backslashes in */
+	error = -EINVAL;
+	if (memchr(dentry->d_name.name, '\\', dentry->d_name.len))
+		goto out;
+
 	lock_kernel();
 	error = smb_proc_getattr(dentry, &finfo);
 #ifdef SMBFS_PARANOIA
...	...	@@ -434,6 +434,11 @@
434	434	if (dentry->d_name.len > SMB_MAXNAMELEN)
435	435	goto out;
436	436
	437	+ /* Do not allow lookup of names with backslashes in */
	438	+ error = -EINVAL;
	439	+ if (memchr(dentry->d_name.name, '\\', dentry->d_name.len))
	440	+ goto out;
	441	+
437	442	lock_kernel();
438	443	error = smb_proc_getattr(dentry, &finfo);
439	444	#ifdef SMBFS_PARANOIA