git.samba.org / samba.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 4505193) | patch
CVE-2023-4091: smbd: use open_access_mask for access check in open_file()
authorRalph Boehme <slow@samba.org>
Tue, 1 Aug 2023 11:04:36 +0000 (13:04 +0200)
committerJule Anger <janger@samba.org>
Sun, 8 Oct 2023 20:06:03 +0000 (22:06 +0200)
commit347d55084b76f53f752e9aae9e84a9f775cbec9d
treea9899c18563633e9847a243bf388060b47eec4ddtree
parent45051934ffa479b25193f409a0c0fe7740f2415dcommit | diff
CVE-2023-4091: smbd: use open_access_mask for access check in open_file()

If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439

Signed-off-by: Ralph Boehme <slow@samba.org>
selftest/knownfail.d/samba3.smb2.acls [deleted file] blob | history
source3/smbd/open.c diff | blob | history
Samba Shared Repository