s3: smbd: Sanitize any "server" and "share" components of SMB1 DFS paths to remove...

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15419

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Jul 27 10:52:50 UTC 2023 on atb-devel-224

diff --git a/selftest/knownfail.d/dfs_badpath b/selftest/knownfail.d/dfs_badpath
deleted file mode 100644 (file)
index 9fd16e9..0000000
--- a/selftest/knownfail.d/dfs_badpath
+++ /dev/null
@@ -1 +0,0 @@
-^samba3.smbtorture_s3.smb1.SMB1-DFS-BADPATH.smbtorture\(fileserver_smb1\)

diff --git a/source3/smbd/smb2_reply.c b/source3/smbd/smb2_reply.c
index 9113878fa8c5cffcf372652958d499231a747ec0..66b735e0b75c4160f12b1433e375dd068dcc4087 100644 (file)
--- a/source3/smbd/smb2_reply.c
+++ b/source3/smbd/smb2_reply.c
@@ -324,6 +324,7 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
                char *share = NULL;
                char *remaining_path = NULL;
                char path_sep = 0;
+               char *p = NULL;
 
                if (posix_pathnames && (dst[0] == '/')) {
                        path_sep = dst[0];
@@ -374,6 +375,16 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
                if (share == NULL) {
                        goto local_path;
                }
+               /*
+                * Ensure the server name does not contain
+                * any possible path components by converting
+                * them to _'s.
+                */
+               for (p = server + 1; p < share; p++) {
+                       if (*p == '/' || *p == '\\') {
+                               *p = '_';
+                       }
+               }
                /*
                 * It's a well formed DFS path with
                 * at least server and share components.
@@ -388,6 +399,16 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
                 */
                remaining_path = strchr(share+1, path_sep);
                if (remaining_path == NULL) {
+                       /*
+                        * Ensure the share name does not contain
+                        * any possible path components by converting
+                        * them to _'s.
+                        */
+                       for (p = share + 1; *p; p++) {
+                               if (*p == '/' || *p == '\\') {
+                                       *p = '_';
+                               }
+                       }
                        /*
                         * If no remaining path this was
                         * a bare /server/share path. Just return.
@@ -395,6 +416,16 @@ static size_t srvstr_get_path_internal(TALLOC_CTX *ctx,
                        *err = NT_STATUS_OK;
                        return ret;
                }
+               /*
+                * Ensure the share name does not contain
+                * any possible path components by converting
+                * them to _'s.
+                */
+               for (p = share + 1; p < remaining_path; p++) {
+                       if (*p == '/' || *p == '\\') {
+                               *p = '_';
+                       }
+               }
                *remaining_path = '/';
                dst = remaining_path + 1;
                /* dst now points at any following components. */