CVE-2021-44141: s3: smbd: Inside check_reduced_name() ensure we return the correct...

NT_STATUS_OBJECT_PATH_NOT_FOUND for a path component failure.
NT_STATUS_OBJECT_NAME_NOT_FOUND for a terminal component failure.

Remove:

	samba3.blackbox.test_symlink_traversal.SMB1.posix
	samba3.blackbox.smbclient_s3.*.Ensure\ widelinks\ are\ restricted\(.*\)
	samba3.blackbox.smbclient_s3.*.follow\ symlinks\ \=\ no\(.*\)

in knownfail.d/symlink_traversal as we now pass these. Only one more fix
remaining to get rid of knownfail.d/symlink_traversal completely.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911

Signed-off-by: Jeremy Allison <jra@samba.org>

diff --git a/selftest/knownfail.d/symlink_traversal b/selftest/knownfail.d/symlink_traversal
index 840ab38b0f908dc80ceb0464f7a032cee2100332..2a51ff3f91d1d75e1247db6361e8d9e35094d15e 100644 (file)
--- a/selftest/knownfail.d/symlink_traversal
+++ b/selftest/knownfail.d/symlink_traversal
@@ -1,5 +1,2 @@
 ^samba3.blackbox.test_symlink_traversal.SMB2.symlink_traversal_SMB2\(fileserver\)
 ^samba3.blackbox.test_symlink_traversal.SMB1.symlink_traversal_SMB1\(fileserver_smb1_done\)
-^samba3.blackbox.test_symlink_traversal.SMB1.posix.symlink_traversal_SMB1_posix\(fileserver_smb1_done\)
-^samba3.blackbox.smbclient_s3.*.Ensure\ widelinks\ are\ restricted\(.*\)
-^samba3.blackbox.smbclient_s3.*.follow\ symlinks\ \=\ no\(.*\)

diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c
index 9bc528837d730a4a1dc5aa4f6480a0e0ad43180d..cd412a3d57a4b7698cb59e4491fbca4baddf7245 100644 (file)
--- a/source3/smbd/vfs.c
+++ b/source3/smbd/vfs.c
@@ -1146,6 +1146,7 @@ NTSTATUS check_reduced_name(connection_struct *conn,
        bool allow_symlinks = true;
        const char *conn_rootdir;
        size_t rootdir_len;
+       bool parent_dir_checked = false;
 
        DBG_DEBUG("check_reduced_name [%s] [%s]\n", fname, conn->connectpath);
 
@@ -1207,6 +1208,7 @@ NTSTATUS check_reduced_name(connection_struct *conn,
                if (resolved_name == NULL) {
                        return NT_STATUS_NO_MEMORY;
                }
+               parent_dir_checked = true;
        } else {
                resolved_name = resolved_fname->base_name;
        }
@@ -1256,7 +1258,13 @@ NTSTATUS check_reduced_name(connection_struct *conn,
                                conn_rootdir,
                                resolved_name);
                        TALLOC_FREE(resolved_fname);
-                       return NT_STATUS_ACCESS_DENIED;
+                       if (parent_dir_checked) {
+                               /* Part of a component path. */
+                               return NT_STATUS_OBJECT_PATH_NOT_FOUND;
+                       } else {
+                               /* End of a path. */
+                               return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+                       }
                }
        }
 
@@ -1311,7 +1319,13 @@ NTSTATUS check_reduced_name(connection_struct *conn,
                                p);
                        TALLOC_FREE(resolved_fname);
                        TALLOC_FREE(new_fname);
-                       return NT_STATUS_ACCESS_DENIED;
+                       if (parent_dir_checked) {
+                               /* Part of a component path. */
+                               return NT_STATUS_OBJECT_PATH_NOT_FOUND;
+                       } else {
+                               /* End of a path. */
+                               return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+                       }
                }
        }