diff options
author | Ralph Boehme <slow@samba.org> | 2017-03-19 15:58:17 +0100 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2017-03-22 10:48:05 +0100 |
commit | 5ef7df63534c188164dbaff4f8f2c9b884e13dfe (patch) | |
tree | ae60931849e350656c9e27a80b0d7ec7c5c74ed9 | |
parent | cac3807d1ee75c9b579b4528714188e2e4e481f6 (diff) | |
download | samba-5ef7df63534c188164dbaff4f8f2c9b884e13dfe.tar.gz |
CVE-2017-2619: s3/smbd: re-open directory after dptr_CloseDir()
dptr_CloseDir() will close and invalidate the fsp's file descriptor, we
have to reopen it.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
-rw-r--r-- | source3/smbd/smb2_query_directory.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/source3/smbd/smb2_query_directory.c b/source3/smbd/smb2_query_directory.c index e18a279d9b4..2af029bc613 100644 --- a/source3/smbd/smb2_query_directory.c +++ b/source3/smbd/smb2_query_directory.c @@ -24,6 +24,7 @@ #include "../libcli/smb/smb_common.h" #include "trans2.h" #include "../lib/util/tevent_ntstatus.h" +#include "system/filesys.h" static struct tevent_req *smbd_smb2_query_directory_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, @@ -322,7 +323,23 @@ static struct tevent_req *smbd_smb2_query_directory_send(TALLOC_CTX *mem_ctx, } if (in_flags & SMB2_CONTINUE_FLAG_REOPEN) { + int flags; + dptr_CloseDir(fsp); + + /* + * dptr_CloseDir() will close and invalidate the fsp's file + * descriptor, we have to reopen it. + */ + + flags = O_RDONLY; +#ifdef O_DIRECTORY + flags |= O_DIRECTORY; +#endif + status = fd_open(conn, fsp, flags, 0); + if (tevent_req_nterror(req, status)) { + return tevent_req_post(req, ev); + } } if (!smbreq->posix_pathnames) { |