From: Jeremy Allison <jra@samba.org>
Date: Fri, 23 Oct 2015 21:54:31 +0000 (-0700)
Subject: CVE-2015-5299: s3-shadow-copy2: fix missing access check on snapdir
X-Git-Tag: samba-4.1.22~6
X-Git-Url: http://git.samba.org/?p=samba.git;a=commitdiff_plain;h=fa777786d75272e3190dcbd32eeff9b3e4f03bde

CVE-2015-5299: s3-shadow-copy2: fix missing access check on snapdir

Fix originally from <partha@exablox.com>

https://bugzilla.samba.org/show_bug.cgi?id=11529

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
---

diff --git a/source3/modules/vfs_shadow_copy2.c b/source3/modules/vfs_shadow_copy2.c
index fca05cf7ab9..07e2f8ac0e7 100644
--- a/source3/modules/vfs_shadow_copy2.c
+++ b/source3/modules/vfs_shadow_copy2.c
@@ -30,6 +30,7 @@
  */
 
 #include "includes.h"
+#include "smbd/smbd.h"
 #include "system/filesys.h"
 #include "include/ntioctl.h"
 #include <ccan/hash/hash.h>
@@ -1138,6 +1139,42 @@ static char *have_snapdir(struct vfs_handle_struct *handle,
 	return NULL;
 }
 
+static bool check_access_snapdir(struct vfs_handle_struct *handle,
+				const char *path)
+{
+	struct smb_filename smb_fname;
+	int ret;
+	NTSTATUS status;
+
+	ZERO_STRUCT(smb_fname);
+	smb_fname.base_name = talloc_asprintf(talloc_tos(),
+						"%s",
+						path);
+	if (smb_fname.base_name == NULL) {
+		return false;
+	}
+
+	ret = SMB_VFS_NEXT_STAT(handle, &smb_fname);
+	if (ret != 0 || !S_ISDIR(smb_fname.st.st_ex_mode)) {
+		TALLOC_FREE(smb_fname.base_name);
+		return false;
+	}
+
+	status = smbd_check_access_rights(handle->conn,
+					&smb_fname,
+					false,
+					SEC_DIR_LIST);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0,("user does not have list permission "
+			"on snapdir %s\n",
+			smb_fname.base_name));
+		TALLOC_FREE(smb_fname.base_name);
+		return false;
+	}
+	TALLOC_FREE(smb_fname.base_name);
+	return true;
+}
+
 /**
  * Find the snapshot directory (if any) for the given
  * filename (which is relative to the share).
@@ -1287,6 +1324,7 @@ static int shadow_copy2_get_shadow_copy_data(
 	const char *snapdir;
 	struct dirent *d;
 	TALLOC_CTX *tmp_ctx = talloc_stackframe();
+	bool ret;
 
 	snapdir = shadow_copy2_find_snapdir(tmp_ctx, handle, fsp->fsp_name);
 	if (snapdir == NULL) {
@@ -1296,6 +1334,13 @@ static int shadow_copy2_get_shadow_copy_data(
 		talloc_free(tmp_ctx);
 		return -1;
 	}
+	ret = check_access_snapdir(handle, snapdir);
+	if (!ret) {
+		DEBUG(0,("access denied on listing snapdir %s\n", snapdir));
+		errno = EACCES;
+		talloc_free(tmp_ctx);
+		return -1;
+	}
 
 	p = SMB_VFS_NEXT_OPENDIR(handle, snapdir, NULL, 0);