CVE-2015-7560: s3: smbd: Refuse to get an ACL from a POSIX file handle on a symlink.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
author: Jeremy Allison <jra@samba.org> 2016-01-05 10:38:28 -0800
committer: Karolin Seeger <kseeger@samba.org> 2016-02-24 11:39:59 +0100
commit: fa1c482083cc1b0f124490bd40ad79dd7e94de2c (patch)
tree: eff1cfce84a48ea6b4bb84869c3d44faa06565e6
parent: 76f6cf5bbfc1eececa3c76f492372fd66f5fa7ed (diff)
download: samba-fa1c482083cc1b0f124490bd40ad79dd7e94de2c.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 04dddee5c3d..f812e853d49 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -1905,6 +1905,13 @@ NTSTATUS smbd_do_query_security_desc(connection_struct *conn,
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
+	if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
+		DEBUG(10, ("ACL get on symlink %s denied.\n",
+			fsp_str_dbg(fsp)));
+		TALLOC_FREE(frame);
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
 	if (security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|
 			SECINFO_GROUP|SECINFO_SACL)) {
 		/* Don't return SECINFO_LABEL if anything else was
author	Jeremy Allison <jra@samba.org>	2016-01-05 10:38:28 -0800
committer	Karolin Seeger <kseeger@samba.org>	2016-02-24 11:39:59 +0100
commit	fa1c482083cc1b0f124490bd40ad79dd7e94de2c (patch)
tree	eff1cfce84a48ea6b4bb84869c3d44faa06565e6
parent	76f6cf5bbfc1eececa3c76f492372fd66f5fa7ed (diff)
download	samba-fa1c482083cc1b0f124490bd40ad79dd7e94de2c.tar.gz