[PATCH] smbfs chroot issue (CVE-2006-1864)

Mark Moseley reported that a chroot environment on a SMB share can be
left via "cd ..\\".  Similar to CVE-2006-1863 issue with cifs, this fix
is for smbfs.

Steven French <sfrench@us.ibm.com> wrote:

Looks fine to me.  This should catch the slash on lookup or equivalent,
which will be all obvious paths of interest.

Back-ported to 2.4 by Willy Tarreau.
Signed-off-by: Willy Tarreau <willy@w.ods.org>

diff --git a/fs/smbfs/dir.c b/fs/smbfs/dir.c
index 7c0a0de..9ace0a4 100644 (file)
--- a/fs/smbfs/dir.c
+++ b/fs/smbfs/dir.c
@@ -416,6 +416,11 @@ smb_lookup(struct inode *dir, struct dentry *dentry)
        if (dentry->d_name.len > SMB_MAXNAMELEN)
                goto out;
 
+       /* Do not allow lookup of names with backslashes in */
+       error = -EINVAL;
+       if (memchr(dentry->d_name.name, '\\', dentry->d_name.len))
+               goto out;
+
        error = smb_proc_getattr(dentry, &finfo);
 #ifdef SMBFS_PARANOIA
        if (error && error != -ENOENT)