diff options
author | Olaf Kirch <okir@suse.de> | 2006-05-03 21:30:11 -0700 |
---|---|---|
committer | Chris Wright <chrisw@sous-sol.org> | 2006-05-04 17:03:36 -0700 |
commit | 4acbb3fbaccda1f1d38e7154228e052ce80a2dfa (patch) | |
tree | b8e5a0b20930b7812c62de13a711babeb88c12db /fs | |
parent | a120571fbdfc8f543eea64248abe3c4d7f210450 (diff) | |
download | lwn-4acbb3fbaccda1f1d38e7154228e052ce80a2dfa.tar.gz lwn-4acbb3fbaccda1f1d38e7154228e052ce80a2dfa.zip |
[PATCH] smbfs chroot issue (CVE-2006-1864)
Mark Moseley reported that a chroot environment on a SMB share can be
left via "cd ..\\". Similar to CVE-2006-1863 issue with cifs, this fix
is for smbfs.
Steven French <sfrench@us.ibm.com> wrote:
Looks fine to me. This should catch the slash on lookup or equivalent,
which will be all obvious paths of interest.
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/smbfs/dir.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/fs/smbfs/dir.c b/fs/smbfs/dir.c index 0424d06b147e..45862eca8456 100644 --- a/fs/smbfs/dir.c +++ b/fs/smbfs/dir.c @@ -434,6 +434,11 @@ smb_lookup(struct inode *dir, struct dentry *dentry, struct nameidata *nd) if (dentry->d_name.len > SMB_MAXNAMELEN) goto out; + /* Do not allow lookup of names with backslashes in */ + error = -EINVAL; + if (memchr(dentry->d_name.name, '\\', dentry->d_name.len)) + goto out; + lock_kernel(); error = smb_proc_getattr(dentry, &finfo); #ifdef SMBFS_PARANOIA |