aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOlaf Kirch <okir@suse.de>2006-05-15 12:43:57 -0400
committerLinus Torvalds <torvalds@g5.osdl.org>2006-05-15 14:20:55 -0400
commit3b7c8108273bed41a2fc04533cc9f2026ff38c8e (patch)
treed437254b0cd1b07ecc33631fea13ad79f925353b
parenta7b862f663d81858531dfccc0537bc9d8a2a4121 (diff)
[PATCH] smbfs chroot issue (CVE-2006-1864)
Mark Moseley reported that a chroot environment on a SMB share can be left via "cd ..\\". Similar to CVE-2006-1863 issue with cifs, this fix is for smbfs. Steven French <sfrench@us.ibm.com> wrote: Looks fine to me. This should catch the slash on lookup or equivalent, which will be all obvious paths of interest. Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r--fs/smbfs/dir.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/fs/smbfs/dir.c b/fs/smbfs/dir.c
index 34c7a11d91f0..70d9c5a37f5a 100644
--- a/fs/smbfs/dir.c
+++ b/fs/smbfs/dir.c
@@ -434,6 +434,11 @@ smb_lookup(struct inode *dir, struct dentry *dentry, struct nameidata *nd)
434 if (dentry->d_name.len > SMB_MAXNAMELEN) 434 if (dentry->d_name.len > SMB_MAXNAMELEN)
435 goto out; 435 goto out;
436 436
437 /* Do not allow lookup of names with backslashes in */
438 error = -EINVAL;
439 if (memchr(dentry->d_name.name, '\\', dentry->d_name.len))
440 goto out;
441
437 lock_kernel(); 442 lock_kernel();
438 error = smb_proc_getattr(dentry, &finfo); 443 error = smb_proc_getattr(dentry, &finfo);
439#ifdef SMBFS_PARANOIA 444#ifdef SMBFS_PARANOIA