[PATCH] smbfs chroot issue (CVE-2006-1864)
authorOlaf Kirch <okir@suse.de>
Mon, 15 May 2006 16:43:57 +0000 (09:43 -0700)
committerLinus Torvalds <torvalds@g5.osdl.org>
Mon, 15 May 2006 18:20:55 +0000 (11:20 -0700)
Mark Moseley reported that a chroot environment on a SMB share can be left
via "cd ..\\".  Similar to CVE-2006-1863 issue with cifs, this fix is for
smbfs.

Steven French <sfrench@us.ibm.com> wrote:

Looks fine to me.  This should catch the slash on lookup or equivalent,
which will be all obvious paths of interest.

Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
fs/smbfs/dir.c

index 34c7a11d91f0ebbb29854a0116d8c558825fbbbc..70d9c5a37f5a3c6f7d5cad12e7bad8e1d2e21136 100644 (file)
@@ -434,6 +434,11 @@ smb_lookup(struct inode *dir, struct dentry *dentry, struct nameidata *nd)
        if (dentry->d_name.len > SMB_MAXNAMELEN)
                goto out;
 
+       /* Do not allow lookup of names with backslashes in */
+       error = -EINVAL;
+       if (memchr(dentry->d_name.name, '\\', dentry->d_name.len))
+               goto out;
+
        lock_kernel();
        error = smb_proc_getattr(dentry, &finfo);
 #ifdef SMBFS_PARANOIA