CVE-2023-4091: smbd: use open_access_mask for access check in open_fi…

…le() If the client requested FILE_OVERWRITE[_IF], we're implicitly adding FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the access check we're using access_mask which doesn't contain the additional right, which means we can end up truncating a file for which the user has only read-only access via an SD. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439 Signed-off-by: Ralph Boehme <slow@samba.org>
samba-team · Oct 9, 2023 · 3c432b1 · 3c432b1
1 parent bfe8e10
commit 3c432b1
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 3 deletions.
diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
@@ -1442,7 +1442,7 @@ static NTSTATUS open_file(struct smb_request *req,
 						dirfsp,
 						fsp,
 						false,
-						access_mask);
+						open_access_mask);
 
 				if (!NT_STATUS_IS_OK(status)) {
 					DBG_DEBUG("smbd_check_access_rights_fsp"
@@ -1633,7 +1633,7 @@ static NTSTATUS open_file(struct smb_request *req,
 			status = smbd_check_access_rights_fsp(dirfsp,
 							      fsp,
 							      false,
-							      access_mask);
+							      open_access_mask);
 
 			if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND) &&
 			    posix_open &&