diff options
author | Colin Percival <cperciva@FreeBSD.org> | 2006-05-31 22:35:32 +0000 |
---|---|---|
committer | Colin Percival <cperciva@FreeBSD.org> | 2006-05-31 22:35:32 +0000 |
commit | 7459678c59a36ca2523460a638e17bc1d0365eec (patch) | |
tree | 22c9139c3d4039851e7157cf1f4161713e02de50 | |
parent | 16bd853276cbaaea5922bca3bebd2452b4a985f7 (diff) | |
download | src-releng/4.10.tar.gz src-releng/4.10.zip |
Correct a bug in the handling of backslash characters in smbfs which canreleng/4.10
allow an attacker to escape from a chroot(2).
Approved by: so (cperciva)
Security: FreeBSD-SA-06:16.smbfs
Notes
Notes:
svn path=/releng/4.10/; revision=159120
-rw-r--r-- | UPDATING | 4 | ||||
-rw-r--r-- | sys/conf/newvers.sh | 2 | ||||
-rw-r--r-- | sys/fs/smbfs/smbfs_vnops.c | 9 |
3 files changed, 13 insertions, 2 deletions
@@ -17,6 +17,10 @@ minimal number of processes, if possible, for that patch. For those updates that don't have an advisory, or to be safe, you can do a full build and install as described in the COMMON ITEMS section. +20060531: p24 FreeBSD-SA-06:16.smbfs + Correct a bug in the handling of backslash characters in smbfs + which can allow an attacker to escape from a chroot(2). + 20060419: p23 FreeBSD-SA-06:14.fpu Correct a local information leakage bug affecting AMD FPUs. diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 1dca0aafd682..80a460a774b1 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -36,7 +36,7 @@ TYPE="FreeBSD" REVISION="4.10" -BRANCH="RELEASE-p23" +BRANCH="RELEASE-p24" RELEASE="${REVISION}-${BRANCH}" VERSION="${TYPE} ${RELEASE}" diff --git a/sys/fs/smbfs/smbfs_vnops.c b/sys/fs/smbfs/smbfs_vnops.c index ec7b381a0e0a..2588369cf873 100644 --- a/sys/fs/smbfs/smbfs_vnops.c +++ b/sys/fs/smbfs/smbfs_vnops.c @@ -1076,11 +1076,18 @@ smbfs_advlock(ap) static int smbfs_pathcheck(struct smbmount *smp, const char *name, int nmlen, int nameiop) { - static const char *badchars = "*/\\:<>;?"; + static const char *badchars = "*/:<>;?"; static const char *badchars83 = " +|,[]="; const char *cp; int i, error; + /* + * Backslash characters, being a path delimiter, are prohibited + * within a path component even for LOOKUP operations. + */ + if (index(name, '\\') != NULL) + return ENOENT; + if (nameiop == LOOKUP) return 0; error = ENOENT; |