smbd: Return OBJECT_NAME_NOT_FOUND if lcomp points outside the share

filename_convert_dirfsp() is the only caller of
safe_symlink_target_path(). Right now this is not called with
"unparsed==0" because the last component is handled in
openat_pathref_fsp() and thus non_widelink_open(). I have code that
will change this, so that we can simplify
openat_pathref_fsp_case_insensitive() to directly call OPENAT, not
going through non_widelink_open. This will cause
safe_symlink_target_path() also be called for the last component,
which means it needs logic to distinguish between PATH_ and
NAME_NOT_FOUND.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
index e3776b3fa634c28b9c2502cb42c298cce2f3aad1..5d3e199c362bebd0eb2f6e3b1be3deb9a1e6e750 100644 (file)
--- a/source3/smbd/filename.c
+++ b/source3/smbd/filename.c
@@ -903,7 +903,8 @@ static NTSTATUS safe_symlink_target_path(
                connectpath, strlen(connectpath), abs_target_canon, &relative);
        if (!in_share) {
                DBG_DEBUG("wide link to %s\n", abs_target_canon);
-               status = NT_STATUS_OBJECT_PATH_NOT_FOUND;
+               status = (unparsed != 0) ? NT_STATUS_OBJECT_PATH_NOT_FOUND
+                                        : NT_STATUS_OBJECT_NAME_NOT_FOUND;
                goto fail;
        }