225 lines
6.3 KiB
Diff
225 lines
6.3 KiB
Diff
From 091b0265fe42878d676def5d4f5b4f8f3977b0e2 Mon Sep 17 00:00:00 2001
|
|
From: Ralph Boehme <slow@samba.org>
|
|
Date: Mon, 5 Jun 2023 18:02:20 +0200
|
|
Subject: [PATCH 17/28] CVE-2023-34968: mdssvc: return a fake share path
|
|
|
|
Instead of returning the real server-side absolute path of shares and search
|
|
results, return a fake absolute path replacing the path of the share with the
|
|
share name, iow for a share "test" with a server-side path of "/foo/bar", we
|
|
previously returned
|
|
|
|
/foo/bar and
|
|
/foo/bar/search/result
|
|
|
|
and now return
|
|
|
|
/test and
|
|
/test/search/result
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
|
|
|
|
Signed-off-by: Ralph Boehme <slow@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
|
|
Conflict: NA
|
|
Reference: https://download.samba.org/pub/samba/patches/security/samba-4.17.10-security-2023-07-19.patch
|
|
---
|
|
source3/rpc_server/mdssvc/mdssvc.c | 61 +++++++++++++++++++++--
|
|
source3/rpc_server/mdssvc/mdssvc.h | 1 +
|
|
source3/rpc_server/mdssvc/srv_mdssvc_nt.c | 18 +++++--
|
|
3 files changed, 73 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c
|
|
index 9b814f51fc3..22cc7abd153 100644
|
|
--- a/source3/rpc_server/mdssvc/mdssvc.c
|
|
+++ b/source3/rpc_server/mdssvc/mdssvc.c
|
|
@@ -520,10 +520,13 @@ static bool inode_map_add(struct sl_query *slq,
|
|
bool mds_add_result(struct sl_query *slq, const char *path)
|
|
{
|
|
struct smb_filename *smb_fname = NULL;
|
|
+ const char *relative = NULL;
|
|
+ char *fake_path = NULL;
|
|
struct stat_ex sb;
|
|
uint64_t ino64;
|
|
int result;
|
|
NTSTATUS status;
|
|
+ bool sub;
|
|
bool ok;
|
|
|
|
/*
|
|
@@ -598,6 +601,17 @@ bool mds_add_result(struct sl_query *slq, const char *path)
|
|
}
|
|
}
|
|
|
|
+ sub = subdir_of(slq->mds_ctx->spath,
|
|
+ slq->mds_ctx->spath_len,
|
|
+ path,
|
|
+ &relative);
|
|
+ if (!sub) {
|
|
+ DBG_ERR("[%s] is not inside [%s]\n",
|
|
+ path, slq->mds_ctx->spath);
|
|
+ slq->state = SLQ_STATE_ERROR;
|
|
+ return false;
|
|
+ }
|
|
+
|
|
/*
|
|
* Add inode number and filemeta to result set, this is what
|
|
* we return as part of the result set of a query
|
|
@@ -610,18 +624,30 @@ bool mds_add_result(struct sl_query *slq, const char *path)
|
|
slq->state = SLQ_STATE_ERROR;
|
|
return false;
|
|
}
|
|
+
|
|
+ fake_path = talloc_asprintf(slq,
|
|
+ "/%s/%s",
|
|
+ slq->mds_ctx->sharename,
|
|
+ relative);
|
|
+ if (fake_path == NULL) {
|
|
+ slq->state = SLQ_STATE_ERROR;
|
|
+ return false;
|
|
+ }
|
|
+
|
|
ok = add_filemeta(slq->mds_ctx,
|
|
slq->reqinfo,
|
|
slq->query_results->fm_array,
|
|
- path,
|
|
+ fake_path,
|
|
&sb);
|
|
if (!ok) {
|
|
DBG_ERR("add_filemeta error\n");
|
|
+ TALLOC_FREE(fake_path);
|
|
slq->state = SLQ_STATE_ERROR;
|
|
return false;
|
|
}
|
|
|
|
- ok = inode_map_add(slq, ino64, path, &sb);
|
|
+ ok = inode_map_add(slq, ino64, fake_path, &sb);
|
|
+ TALLOC_FREE(fake_path);
|
|
if (!ok) {
|
|
DEBUG(1, ("inode_map_add error\n"));
|
|
slq->state = SLQ_STATE_ERROR;
|
|
@@ -828,6 +854,32 @@ static void slq_close_timer(struct tevent_context *ev,
|
|
}
|
|
}
|
|
|
|
+/**
|
|
+ * Translate a fake scope from the client like /sharename/dir
|
|
+ * to the real server-side path, replacing the "/sharename" part
|
|
+ * with the absolute server-side path of the share.
|
|
+ **/
|
|
+static bool mdssvc_real_scope(struct sl_query *slq, const char *fake_scope)
|
|
+{
|
|
+ size_t sname_len = strlen(slq->mds_ctx->sharename);
|
|
+ size_t fake_scope_len = strlen(fake_scope);
|
|
+
|
|
+ if (fake_scope_len < sname_len + 1) {
|
|
+ DBG_ERR("Short scope [%s] for share [%s]\n",
|
|
+ fake_scope, slq->mds_ctx->sharename);
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ slq->path_scope = talloc_asprintf(slq,
|
|
+ "%s%s",
|
|
+ slq->mds_ctx->spath,
|
|
+ fake_scope + sname_len + 1);
|
|
+ if (slq->path_scope == NULL) {
|
|
+ return false;
|
|
+ }
|
|
+ return true;
|
|
+}
|
|
+
|
|
/**
|
|
* Begin a search query
|
|
**/
|
|
@@ -940,8 +992,8 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
|
|
goto error;
|
|
}
|
|
|
|
- slq->path_scope = talloc_strdup(slq, scope);
|
|
- if (slq->path_scope == NULL) {
|
|
+ ok = mdssvc_real_scope(slq, scope);
|
|
+ if (!ok) {
|
|
goto error;
|
|
}
|
|
|
|
@@ -1662,6 +1714,7 @@ NTSTATUS mds_init_ctx(TALLOC_CTX *mem_ctx,
|
|
status = NT_STATUS_NO_MEMORY;
|
|
goto error;
|
|
}
|
|
+ mds_ctx->spath_len = strlen(path);
|
|
|
|
mds_ctx->snum = snum;
|
|
mds_ctx->pipe_session_info = session_info;
|
|
diff --git a/source3/rpc_server/mdssvc/mdssvc.h b/source3/rpc_server/mdssvc/mdssvc.h
|
|
index e1fc0709ab1..3b2ce250f1f 100644
|
|
--- a/source3/rpc_server/mdssvc/mdssvc.h
|
|
+++ b/source3/rpc_server/mdssvc/mdssvc.h
|
|
@@ -127,6 +127,7 @@ struct mds_ctx {
|
|
int snum;
|
|
const char *sharename;
|
|
const char *spath;
|
|
+ size_t spath_len;
|
|
struct connection_struct *conn;
|
|
struct sl_query *query_list; /* list of active queries */
|
|
struct db_context *ino_path_map; /* dbwrap rbt for storing inode->path mappings */
|
|
diff --git a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
|
|
index ae6a73605e1..c77e7185521 100644
|
|
--- a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
|
|
+++ b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
|
|
@@ -81,6 +81,7 @@ void _mdssvc_open(struct pipes_struct *p, struct mdssvc_open *r)
|
|
loadparm_s3_global_substitution();
|
|
int snum;
|
|
char *outpath = discard_const_p(char, r->out.share_path);
|
|
+ char *fake_path = NULL;
|
|
char *path;
|
|
NTSTATUS status;
|
|
|
|
@@ -98,12 +99,21 @@ void _mdssvc_open(struct pipes_struct *p, struct mdssvc_open *r)
|
|
|
|
path = lp_path(talloc_tos(), lp_sub, snum);
|
|
if (path == NULL) {
|
|
- DBG_ERR("Couldn't create policy handle for %s\n",
|
|
+ DBG_ERR("Couldn't create path for %s\n",
|
|
r->in.share_name);
|
|
p->fault_state = DCERPC_FAULT_CANT_PERFORM;
|
|
return;
|
|
}
|
|
|
|
+ fake_path = talloc_asprintf(p->mem_ctx, "/%s", r->in.share_name);
|
|
+ if (fake_path == NULL) {
|
|
+ DBG_ERR("Couldn't create fake share path for %s\n",
|
|
+ r->in.share_name);
|
|
+ talloc_free(path);
|
|
+ p->fault_state = DCERPC_FAULT_CANT_PERFORM;
|
|
+ return;
|
|
+ }
|
|
+
|
|
status = create_mdssvc_policy_handle(p->mem_ctx, p,
|
|
snum,
|
|
r->in.share_name,
|
|
@@ -112,18 +122,20 @@ void _mdssvc_open(struct pipes_struct *p, struct mdssvc_open *r)
|
|
if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_VOLUME)) {
|
|
ZERO_STRUCTP(r->out.handle);
|
|
talloc_free(path);
|
|
+ talloc_free(fake_path);
|
|
return;
|
|
}
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
DBG_ERR("Couldn't create policy handle for %s\n",
|
|
r->in.share_name);
|
|
talloc_free(path);
|
|
+ talloc_free(fake_path);
|
|
p->fault_state = DCERPC_FAULT_CANT_PERFORM;
|
|
return;
|
|
}
|
|
|
|
- strlcpy(outpath, path, 1024);
|
|
- talloc_free(path);
|
|
+ strlcpy(outpath, fake_path, 1024);
|
|
+ talloc_free(fake_path);
|
|
return;
|
|
}
|
|
|
|
--
|
|
2.34.1
|