CVE-2021-44141: s3: smbd: In rename_internals(), remove the name spliting and re-combining code.

filename_convert() handles mangled names just fine, so we don't
need to split the last component and check for mangle.

Now we don't take wildcard names this is not needed. This was the
last caller of split_fname_dir_mask(), so ifdef it out.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911

Signed-off-by: Jeremy Allison <jra@samba.org>

1 files changed, 2 insertions, 65 deletions

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index b9f1bd6b9c2..7b0eb18d744 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -1624,6 +1624,7 @@ void reply_dskattr(struct smb_request *req)
 	return;
 }
 
+#if 0
 /*
  * Utility function to split the filename from the directory.
  */
@@ -1655,6 +1656,7 @@ static NTSTATUS split_fname_dir_mask(TALLOC_CTX *ctx, const char *fname_in,
 	*fname_mask_out = fname_mask;
 	return NT_STATUS_OK;
 }
+#endif
 
 /****************************************************************************
  Make a dir struct.
@@ -7618,52 +7620,12 @@ NTSTATUS rename_internals(TALLOC_CTX *ctx,
 			bool replace_if_exists,
 			uint32_t access_mask)
 {
-	char *fname_src_dir = NULL;
-	struct smb_filename *smb_fname_src_dir = NULL;
-	char *fname_src_mask = NULL;
 	NTSTATUS status = NT_STATUS_OK;
-	char *talloced = NULL;
 	int create_options = 0;
 	struct smb2_create_blobs *posx = NULL;
 	struct files_struct *fsp = NULL;
 	int rc;
 
-	/*
-	 * Split the old name into directory and last component
-	 * strings. Note that unix_convert may have stripped off a
-	 * leading ./ from both name and newname if the rename is
-	 * at the root of the share. We need to make sure either both
-	 * name and newname contain a / character or neither of them do.
-	 */
-
-	/* Split up the directory from the filename/mask. */
-	status = split_fname_dir_mask(ctx, smb_fname_src->base_name,
-				      &fname_src_dir, &fname_src_mask);
-	if (!NT_STATUS_IS_OK(status)) {
-		status = NT_STATUS_NO_MEMORY;
-		goto out;
-	}
-
-	/*
-	 * We should only check the mangled cache
-	 * here if unix_convert failed. This means
-	 * that the path in 'mask' doesn't exist
-	 * on the file system and so we need to look
-	 * for a possible mangle. This patch from
-	 * Tine Smukavec <valentin.smukavec@hermes.si>.
-	 */
-
-	if (!VALID_STAT(smb_fname_src->st) &&
-	    mangle_is_mangled(fname_src_mask, conn->params)) {
-		char *new_mask = NULL;
-		mangle_lookup_name_from_8_3(ctx, fname_src_mask, &new_mask,
-					    conn->params);
-		if (new_mask) {
-			TALLOC_FREE(fname_src_mask);
-			fname_src_mask = new_mask;
-		}
-	}
-
 	if (smb_fname_src->flags & SMB_FILENAME_POSIX_PATH) {
 		status = make_smb2_posix_create_ctx(talloc_tos(), &posx, 0777);
 		if (!NT_STATUS_IS_OK(status)) {
@@ -7673,27 +7635,6 @@ NTSTATUS rename_internals(TALLOC_CTX *ctx,
 		}
 	}
 
-	/*
-	 * Only one file needs to be renamed. Append the mask back
-	 * onto the directory.
-	 */
-	TALLOC_FREE(smb_fname_src->base_name);
-	if (ISDOT(fname_src_dir)) {
-		/* Ensure we use canonical names on open. */
-		smb_fname_src->base_name = talloc_asprintf(smb_fname_src,
-						"%s",
-						fname_src_mask);
-	} else {
-		smb_fname_src->base_name = talloc_asprintf(smb_fname_src,
-						"%s/%s",
-						fname_src_dir,
-						fname_src_mask);
-	}
-	if (!smb_fname_src->base_name) {
-		status = NT_STATUS_NO_MEMORY;
-		goto out;
-	}
-
 	DBG_NOTICE("case_sensitive = %d, "
 		  "case_preserve = %d, short case preserve = %d, "
 		  "directory = %s, newname = %s, "
@@ -7776,10 +7717,6 @@ NTSTATUS rename_internals(TALLOC_CTX *ctx,
 
  out:
 	TALLOC_FREE(posx);
-	TALLOC_FREE(talloced);
-	TALLOC_FREE(smb_fname_src_dir);
-	TALLOC_FREE(fname_src_dir);
-	TALLOC_FREE(fname_src_mask);
 	return status;
 }