s3: smbd: Don't leak meta-data about the containing directory of the share root.

This is a subtle one. In smbd_dirptr_get_entry() we now
open a pathref fsp on all entries - including "..".

If we're at the root of the share we don't want
a handle to the directory above it, so silently
close the smb_fname->fsp for ".." names to prevent
it from being used to return meta-data to the client
(more than we already have done historically by
calling pathname functions on "..").

The marshalling returned entries and async DOS
code copes with smb_fname->fsp == NULL perfectly
well.

Only in master, but will need fixing for 4.15.rc1
or 2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14759

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Jul 28 15:07:54 UTC 2021 on sn-devel-184

(cherry picked from commit 2acad27686074029ac83c66b42bb37eea380f449)

1 files changed, 25 insertions, 0 deletions

diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
index 127e4b0d08d..4c807c3f85c 100644
--- a/source3/smbd/dir.c
+++ b/source3/smbd/dir.c
@@ -946,6 +946,31 @@ bool smbd_dirptr_get_entry(TALLOC_CTX *ctx,
 			continue;
 		}
 
+		/*
+		 * Don't leak metadata about the containing
+		 * directory of the share.
+		 */
+		if (dirptr_path_is_dot && ISDOTDOT(dname)) {
+			/*
+			 * Making a copy here, then freeing
+			 * the original will close the smb_fname->fsp.
+			 */
+			struct smb_filename *tmp_smb_fname =
+				cp_smb_filename(ctx, smb_fname);
+
+			if (tmp_smb_fname == NULL) {
+				TALLOC_FREE(atname);
+				TALLOC_FREE(smb_fname);
+				TALLOC_FREE(dname);
+				TALLOC_FREE(fname);
+				return false;
+			}
+			TALLOC_FREE(smb_fname);
+			smb_fname = tmp_smb_fname;
+			mode = FILE_ATTRIBUTE_DIRECTORY;
+			get_dosmode = false;
+		}
+
 		ok = mode_fn(ctx,
 			     private_data,
 			     dirptr->dir_hnd->fsp,