Re: [PATCH] smbfs chroot issue (CVE-2006-1864)
From: Willy Tarreau
Date: Fri May 05 2006 - 01:37:17 EST
Marcelo,
This patch also applies to 2.4, did you receive it on your side or do you
want me to queue it in -upstream ?
Regards,
Willy
On Thu, May 04, 2006 at 06:40:41PM -0700, Chris Wright wrote:
> From: Olaf Kirch <okir@xxxxxxx>
>
> Mark Moseley reported that a chroot environment on a SMB share can be
> left via "cd ..\\". Similar to CVE-2006-1863 issue with cifs, this fix
> is for smbfs.
>
> Steven French <sfrench@xxxxxxxxxx> wrote:
>
> Looks fine to me. This should catch the slash on lookup or equivalent,
> which will be all obvious paths of interest.
>
> Signed-off-by: Chris Wright <chrisw@xxxxxxxxxxxx>
> ---
> This fix is in -stable, but doesn't appear to be in your tree yet.
>
> fs/smbfs/dir.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> --- linus-2.6.orig/fs/smbfs/dir.c
> +++ linus-2.6/fs/smbfs/dir.c
> @@ -434,6 +434,11 @@ smb_lookup(struct inode *dir, struct den
> if (dentry->d_name.len > SMB_MAXNAMELEN)
> goto out;
>
> + /* Do not allow lookup of names with backslashes in */
> + error = -EINVAL;
> + if (memchr(dentry->d_name.name, '\\', dentry->d_name.len))
> + goto out;
> +
> lock_kernel();
> error = smb_proc_getattr(dentry, &finfo);
> #ifdef SMBFS_PARANOIA
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/