CVE-2021-44141: s3: smbd: Inside check_reduced_name() ensure we retur…

…n the correct error codes when failing symlinks. NT_STATUS_OBJECT_PATH_NOT_FOUND for a path component failure. NT_STATUS_OBJECT_NAME_NOT_FOUND for a terminal component failure. Remove: samba3.blackbox.test_symlink_traversal.SMB1.posix samba3.blackbox.smbclient_s3.*.Ensure\ widelinks\ are\ restricted\(.*\) samba3.blackbox.smbclient_s3.*.follow\ symlinks\ \=\ no\(.*\) in knownfail.d/symlink_traversal as we now pass these. Only one more fix remaining to get rid of knownfail.d/symlink_traversal completely. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911 Signed-off-by: Jeremy Allison <jra@samba.org>
samba-team · Jan 31, 2022 · 43455ed · 43455ed
1 parent 458c755
commit 43455ed
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 5 deletions.
diff --git a/selftest/knownfail.d/symlink_traversal b/selftest/knownfail.d/symlink_traversal
@@ -1,5 +1,2 @@
 ^samba3.blackbox.test_symlink_traversal.SMB2.symlink_traversal_SMB2\(fileserver\)
 ^samba3.blackbox.test_symlink_traversal.SMB1.symlink_traversal_SMB1\(fileserver_smb1_done\)
-^samba3.blackbox.test_symlink_traversal.SMB1.posix.symlink_traversal_SMB1_posix\(fileserver_smb1_done\)
-^samba3.blackbox.smbclient_s3.*.Ensure\ widelinks\ are\ restricted\(.*\)
-^samba3.blackbox.smbclient_s3.*.follow\ symlinks\ \=\ no\(.*\)
diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c
@@ -1146,6 +1146,7 @@ NTSTATUS check_reduced_name(connection_struct *conn,
 	bool allow_symlinks = true;
 	const char *conn_rootdir;
 	size_t rootdir_len;
+	bool parent_dir_checked = false;
 
 	DBG_DEBUG("check_reduced_name [%s] [%s]\n", fname, conn->connectpath);
 
@@ -1207,6 +1208,7 @@ NTSTATUS check_reduced_name(connection_struct *conn,
 		if (resolved_name == NULL) {
 			return NT_STATUS_NO_MEMORY;
 		}
+		parent_dir_checked = true;
 	} else {
 		resolved_name = resolved_fname->base_name;
 	}
@@ -1256,7 +1258,13 @@ NTSTATUS check_reduced_name(connection_struct *conn,
 				conn_rootdir,
 				resolved_name);
 			TALLOC_FREE(resolved_fname);
-			return NT_STATUS_ACCESS_DENIED;
+			if (parent_dir_checked) {
+				/* Part of a component path. */
+				return NT_STATUS_OBJECT_PATH_NOT_FOUND;
+			} else {
+				/* End of a path. */
+				return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+			}
 		}
 	}
 
@@ -1311,7 +1319,13 @@ NTSTATUS check_reduced_name(connection_struct *conn,
 				p);
 			TALLOC_FREE(resolved_fname);
 			TALLOC_FREE(new_fname);
-			return NT_STATUS_ACCESS_DENIED;
+			if (parent_dir_checked) {
+				/* Part of a component path. */
+				return NT_STATUS_OBJECT_PATH_NOT_FOUND;
+			} else {
+				/* End of a path. */
+				return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+			}
 		}
 	}