/[pkg-src]/trunk/kernel26-magellan/patches-2.6.16-r12/0126-2.6.16.14-smbfs-chroot-issue-CVE-2006-1864.patch |
Annotation of /trunk/kernel26-magellan/patches-2.6.16-r12/0126-2.6.16.14-smbfs-chroot-issue-CVE-2006-1864.patch
Parent Directory | Revision Log
Revision 72 -
(hide annotations)
(download)
Mon Jun 5 09:25:38 2006 UTC (18 years, 3 months ago) by niro
File size: 1084 byte(s)
Mon Jun 5 09:25:38 2006 UTC (18 years, 3 months ago) by niro
File size: 1084 byte(s)
ver bump to 2.6.16-r12: - updated to linux-2.6.16.19 - updated to ck11
1 | niro | 72 | From: Olaf Kirch <okir@suse.de> |
2 | Date: Thu, 4 May 2006 04:30:11 +0000 (-0700) | ||
3 | Subject: [PATCH] smbfs chroot issue (CVE-2006-1864) | ||
4 | X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commitdiff;h=4acbb3fbaccda1f1d38e7154228e052ce80a2dfa | ||
5 | |||
6 | [PATCH] smbfs chroot issue (CVE-2006-1864) | ||
7 | |||
8 | Mark Moseley reported that a chroot environment on a SMB share can be | ||
9 | left via "cd ..\\". Similar to CVE-2006-1863 issue with cifs, this fix | ||
10 | is for smbfs. | ||
11 | |||
12 | Steven French <sfrench@us.ibm.com> wrote: | ||
13 | |||
14 | Looks fine to me. This should catch the slash on lookup or equivalent, | ||
15 | which will be all obvious paths of interest. | ||
16 | |||
17 | Signed-off-by: Chris Wright <chrisw@sous-sol.org> | ||
18 | --- | ||
19 | |||
20 | --- a/fs/smbfs/dir.c | ||
21 | +++ b/fs/smbfs/dir.c | ||
22 | @@ -434,6 +434,11 @@ smb_lookup(struct inode *dir, struct den | ||
23 | if (dentry->d_name.len > SMB_MAXNAMELEN) | ||
24 | goto out; | ||
25 | |||
26 | + /* Do not allow lookup of names with backslashes in */ | ||
27 | + error = -EINVAL; | ||
28 | + if (memchr(dentry->d_name.name, '\\', dentry->d_name.len)) | ||
29 | + goto out; | ||
30 | + | ||
31 | lock_kernel(); | ||
32 | error = smb_proc_getattr(dentry, &finfo); | ||
33 | #ifdef SMBFS_PARANOIA |