CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir.

author Jeremy Allison <jra@samba.org>

Wed, 26 Jul 2023 00:41:04 +0000 (17:41 -0700)

committer Jule Anger <janger@samba.org>

Sun, 8 Oct 2023 20:05:40 +0000 (22:05 +0200)
author Jeremy Allison <jra@samba.org>
Wed, 26 Jul 2023 00:41:04 +0000 (17:41 -0700)
committer Jule Anger <janger@samba.org>
Sun, 8 Oct 2023 20:05:40 +0000 (22:05 +0200)
diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c

index 0b323404f06b7d1d1af27fd9a7a2785ae1a9749b..95228d5d801d03d7815a8bc3a86aedab7f0ab88c 100644 (file)
--- a/source3/rpc_client/local_np.c
+++ b/source3/rpc_client/local_np.c
@@ -542,6 +542,24 @@ struct tevent_req *local_np_connect_send(
                 return tevent_req_post(req, ev);
         }
  
+       /*
+        * Ensure we cannot process a path that exits
+        * the socket_dir.
+        */
+       if (ISDOTDOT(lower_case_pipename) ||
+           (strchr(lower_case_pipename, '/')!=NULL))
+       {
+               DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n",
+                       lower_case_pipename);
+               /*
+                * For now, panic the server until we have
+                * the test code in place.
+                */
+               SMB_ASSERT(false);
+               tevent_req_error(req, ENOENT);
+               return tevent_req_post(req, ev);
+       }
+
         state->socketpath = talloc_asprintf(
                 state, "%s/np/%s", socket_dir, lower_case_pipename);
         if (tevent_req_nomem(state->socketpath, req)) {
author	Jeremy Allison <jra@samba.org>
	Wed, 26 Jul 2023 00:41:04 +0000 (17:41 -0700)
committer	Jule Anger <janger@samba.org>
	Sun, 8 Oct 2023 20:05:40 +0000 (22:05 +0200)