diff options
| author | Olaf Kirch <okir@suse.de> | 2006-05-15 12:43:57 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@g5.osdl.org> | 2006-05-15 14:20:55 -0400 |
| commit | 3b7c8108273bed41a2fc04533cc9f2026ff38c8e (patch) | |
| tree | d437254b0cd1b07ecc33631fea13ad79f925353b /fs/smbfs | |
| parent | a7b862f663d81858531dfccc0537bc9d8a2a4121 (diff) | |
[PATCH] smbfs chroot issue (CVE-2006-1864)
Mark Moseley reported that a chroot environment on a SMB share can be left
via "cd ..\\". Similar to CVE-2006-1863 issue with cifs, this fix is for
smbfs.
Steven French <sfrench@us.ibm.com> wrote:
Looks fine to me. This should catch the slash on lookup or equivalent,
which will be all obvious paths of interest.
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'fs/smbfs')
| -rw-r--r-- | fs/smbfs/dir.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/fs/smbfs/dir.c b/fs/smbfs/dir.c index 34c7a11d91f0..70d9c5a37f5a 100644 --- a/fs/smbfs/dir.c +++ b/fs/smbfs/dir.c | |||
| @@ -434,6 +434,11 @@ smb_lookup(struct inode *dir, struct dentry *dentry, struct nameidata *nd) | |||
| 434 | if (dentry->d_name.len > SMB_MAXNAMELEN) | 434 | if (dentry->d_name.len > SMB_MAXNAMELEN) |
| 435 | goto out; | 435 | goto out; |
| 436 | 436 | ||
| 437 | /* Do not allow lookup of names with backslashes in */ | ||
| 438 | error = -EINVAL; | ||
| 439 | if (memchr(dentry->d_name.name, '\\', dentry->d_name.len)) | ||
| 440 | goto out; | ||
| 441 | |||
| 437 | lock_kernel(); | 442 | lock_kernel(); |
| 438 | error = smb_proc_getattr(dentry, &finfo); | 443 | error = smb_proc_getattr(dentry, &finfo); |
| 439 | #ifdef SMBFS_PARANOIA | 444 | #ifdef SMBFS_PARANOIA |