This is a subtle one. In smbd_dirptr_get_entry() we now
open a pathref fsp on all entries - including "..".
If we're at the root of the share we don't want
a handle to the directory above it, so silently
close the smb_fname->fsp for ".." names to prevent
it from being used to return meta-data to the client
(more than we already have done historically by
calling pathname functions on "..").
The marshalling returned entries and async DOS
code copes with smb_fname->fsp == NULL perfectly
well.
Only in master, but will need fixing for 4.15.rc1
or 2.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14759
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Jul 28 15:07:54 UTC 2021 on sn-devel-184
(cherry picked from commit
2acad27686074029ac83c66b42bb37eea380f449)
continue;
}
+ /*
+ * Don't leak metadata about the containing
+ * directory of the share.
+ */
+ if (dirptr_path_is_dot && ISDOTDOT(dname)) {
+ /*
+ * Making a copy here, then freeing
+ * the original will close the smb_fname->fsp.
+ */
+ struct smb_filename *tmp_smb_fname =
+ cp_smb_filename(ctx, smb_fname);
+
+ if (tmp_smb_fname == NULL) {
+ TALLOC_FREE(atname);
+ TALLOC_FREE(smb_fname);
+ TALLOC_FREE(dname);
+ TALLOC_FREE(fname);
+ return false;
+ }
+ TALLOC_FREE(smb_fname);
+ smb_fname = tmp_smb_fname;
+ mode = FILE_ATTRIBUTE_DIRECTORY;
+ get_dosmode = false;
+ }
+
ok = mode_fn(ctx,
private_data,
dirptr->dir_hnd->fsp,