53 lines
1.6 KiB
Diff
53 lines
1.6 KiB
Diff
From 84b5d3640f7103dcc8984df7be679967bc06fd44 Mon Sep 17 00:00:00 2001
|
|
From: Jeremy Allison <jra@samba.org>
|
|
Date: Tue, 25 Jul 2023 17:41:04 -0700
|
|
Subject: [PATCH 01/28] CVE-2023-3961:s3:smbd: Catch any incoming pipe path
|
|
that could exit socket_dir.
|
|
|
|
For now, SMB_ASSERT() to exit the server. We will remove
|
|
this once the test code is in place.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
|
|
|
|
Signed-off-by: Jeremy Allison <jra@samba.org>
|
|
|
|
Conflict: NA
|
|
Reference: https://download.samba.org/pub/samba/patches/security/samba-4.18.8-security-2023-10-10.patch
|
|
[PATCH 01/28] CVE-2023-3961:s3:smbd: Catch any incoming pipe path
|
|
that could exit socket_dir.
|
|
---
|
|
source3/rpc_client/local_np.c | 18 ++++++++++++++++++
|
|
1 file changed, 18 insertions(+)
|
|
|
|
diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c
|
|
index 0b323404f06..95228d5d801 100644
|
|
--- a/source3/rpc_client/local_np.c
|
|
+++ b/source3/rpc_client/local_np.c
|
|
@@ -542,6 +542,24 @@ struct tevent_req *local_np_connect_send(
|
|
return tevent_req_post(req, ev);
|
|
}
|
|
|
|
+ /*
|
|
+ * Ensure we cannot process a path that exits
|
|
+ * the socket_dir.
|
|
+ */
|
|
+ if (ISDOTDOT(lower_case_pipename) ||
|
|
+ (strchr(lower_case_pipename, '/')!=NULL))
|
|
+ {
|
|
+ DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n",
|
|
+ lower_case_pipename);
|
|
+ /*
|
|
+ * For now, panic the server until we have
|
|
+ * the test code in place.
|
|
+ */
|
|
+ SMB_ASSERT(false);
|
|
+ tevent_req_error(req, ENOENT);
|
|
+ return tevent_req_post(req, ev);
|
|
+ }
|
|
+
|
|
state->socketpath = talloc_asprintf(
|
|
state, "%s/np/%s", socket_dir, lower_case_pipename);
|
|
if (tevent_req_nomem(state->socketpath, req)) {
|
|
--
|
|
2.34.1
|