| /[pkg-src]/trunk/kernel26-magellan/patches-2.6.16-r10/0126-2.6.16.14-smbfs-chroot-issue-CVE-2006-1864.patch |
Contents of /trunk/kernel26-magellan/patches-2.6.16-r10/0126-2.6.16.14-smbfs-chroot-issue-CVE-2006-1864.patch
Parent Directory
| 
Revision Log
Revision 70 -
(show annotations)
(download)
Thu May 11 19:09:22 2006 UTC (18 years ago) by niro
File size: 1084 byte(s)
Thu May 11 19:09:22 2006 UTC (18 years ago) by niro
File size: 1084 byte(s)
import
| 1 | From: Olaf Kirch <okir@suse.de> |
| 2 | Date: Thu, 4 May 2006 04:30:11 +0000 (-0700) |
| 3 | Subject: [PATCH] smbfs chroot issue (CVE-2006-1864) |
| 4 | X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commitdiff;h=4acbb3fbaccda1f1d38e7154228e052ce80a2dfa |
| 5 | |
| 6 | [PATCH] smbfs chroot issue (CVE-2006-1864) |
| 7 | |
| 8 | Mark Moseley reported that a chroot environment on a SMB share can be |
| 9 | left via "cd ..\\". Similar to CVE-2006-1863 issue with cifs, this fix |
| 10 | is for smbfs. |
| 11 | |
| 12 | Steven French <sfrench@us.ibm.com> wrote: |
| 13 | |
| 14 | Looks fine to me. This should catch the slash on lookup or equivalent, |
| 15 | which will be all obvious paths of interest. |
| 16 | |
| 17 | Signed-off-by: Chris Wright <chrisw@sous-sol.org> |
| 18 | --- |
| 19 | |
| 20 | --- a/fs/smbfs/dir.c |
| 21 | +++ b/fs/smbfs/dir.c |
| 22 | @@ -434,6 +434,11 @@ smb_lookup(struct inode *dir, struct den |
| 23 | if (dentry->d_name.len > SMB_MAXNAMELEN) |
| 24 | goto out; |
| 25 | |
| 26 | + /* Do not allow lookup of names with backslashes in */ |
| 27 | + error = -EINVAL; |
| 28 | + if (memchr(dentry->d_name.name, '\\', dentry->d_name.len)) |
| 29 | + goto out; |
| 30 | + |
| 31 | lock_kernel(); |
| 32 | error = smb_proc_getattr(dentry, &finfo); |
| 33 | #ifdef SMBFS_PARANOIA |