CVE-2017-2619: s3: smbd: Use the new non_widelink_open() function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Thu Mar 23 22:55:04 CET 2017 on sn-devel-144

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index d66bd64e705bccb544d9e753556c7fb6298c4271..a6e61e70f7fba2e3b50b33ea9092ca60d34413a8 100644 (file)
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -647,7 +647,28 @@ NTSTATUS fd_open(struct connection_struct *conn,
                flags |= O_NOFOLLOW;
        }
 
-       fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
+       /* Ensure path is below share definition. */
+       if (!lp_widelinks(SNUM(conn))) {
+               const char *conn_rootdir = SMB_VFS_CONNECTPATH(conn,
+                                               smb_fname->base_name);
+               if (conn_rootdir == NULL) {
+                       return NT_STATUS_NO_MEMORY;
+               }
+               /*
+                * Only follow symlinks within a share
+                * definition.
+                */
+               fsp->fh->fd = non_widelink_open(conn,
+                                       conn_rootdir,
+                                       fsp,
+                                       smb_fname,
+                                       flags,
+                                       mode,
+                                       0);
+       } else {
+               fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
+       }
+
        if (fsp->fh->fd == -1) {
                int posix_errno = link_errno_convert(errno);
                status = map_nt_error_from_unix(posix_errno);