CVE-2017-2619: s3/smbd: re-open directory after dptr_CloseDir()

author Ralph Boehme <slow@samba.org>

Sun, 19 Mar 2017 14:58:17 +0000 (15:58 +0100)

committer Karolin Seeger <kseeger@samba.org>

Wed, 22 Mar 2017 09:45:15 +0000 (10:45 +0100)
author Ralph Boehme <slow@samba.org>
Sun, 19 Mar 2017 14:58:17 +0000 (15:58 +0100)
committer Karolin Seeger <kseeger@samba.org>
Wed, 22 Mar 2017 09:45:15 +0000 (10:45 +0100)
diff --git a/source3/smbd/smb2_query_directory.c b/source3/smbd/smb2_query_directory.c

index 4b6ca1b8c0abbfcf3b15d4b4ff949d00a599e816..170331003affc58738ade81385ad0c1ae83fa2a7 100644 (file)
--- a/source3/smbd/smb2_query_directory.c
+++ b/source3/smbd/smb2_query_directory.c
@@ -24,6 +24,7 @@
  #include "../libcli/smb/smb_common.h"
  #include "trans2.h"
  #include "../lib/util/tevent_ntstatus.h"
+#include "system/filesys.h"
  
  static struct tevent_req *smbd_smb2_query_directory_send(TALLOC_CTX *mem_ctx,
                                               struct tevent_context *ev,
@@ -322,7 +323,23 @@ static struct tevent_req *smbd_smb2_query_directory_send(TALLOC_CTX *mem_ctx,
         }
  
         if (in_flags & SMB2_CONTINUE_FLAG_REOPEN) {
+               int flags;
+
                 dptr_CloseDir(fsp);
+
+               /*
+                * dptr_CloseDir() will close and invalidate the fsp's file
+                * descriptor, we have to reopen it.
+                */
+
+               flags = O_RDONLY;
+#ifdef O_DIRECTORY
+               flags |= O_DIRECTORY;
+#endif
+               status = fd_open(conn, fsp, flags, 0);
+               if (tevent_req_nterror(req, status)) {
+                       return tevent_req_post(req, ev);
+               }
         }
  
         if (!smbreq->posix_pathnames) {
author	Ralph Boehme <slow@samba.org>
	Sun, 19 Mar 2017 14:58:17 +0000 (15:58 +0100)
committer	Karolin Seeger <kseeger@samba.org>
	Wed, 22 Mar 2017 09:45:15 +0000 (10:45 +0100)