From: Olaf Kirch Date: Mon, 15 May 2006 16:43:57 +0000 (-0700) Subject: [PATCH] smbfs chroot issue (CVE-2006-1864) X-Git-Tag: Ubuntu-5.10.0-12.13~54508 X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=3b7c8108273bed41a2fc04533cc9f2026ff38c8e;p=mirror_ubuntu-hirsute-kernel.git [PATCH] smbfs chroot issue (CVE-2006-1864) Mark Moseley reported that a chroot environment on a SMB share can be left via "cd ..\\". Similar to CVE-2006-1863 issue with cifs, this fix is for smbfs. Steven French wrote: Looks fine to me. This should catch the slash on lookup or equivalent, which will be all obvious paths of interest. Signed-off-by: Chris Wright Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/fs/smbfs/dir.c b/fs/smbfs/dir.c index 34c7a11d91f0..70d9c5a37f5a 100644 --- a/fs/smbfs/dir.c +++ b/fs/smbfs/dir.c @@ -434,6 +434,11 @@ smb_lookup(struct inode *dir, struct dentry *dentry, struct nameidata *nd) if (dentry->d_name.len > SMB_MAXNAMELEN) goto out; + /* Do not allow lookup of names with backslashes in */ + error = -EINVAL; + if (memchr(dentry->d_name.name, '\\', dentry->d_name.len)) + goto out; + lock_kernel(); error = smb_proc_getattr(dentry, &finfo); #ifdef SMBFS_PARANOIA