diff options
| author | Jeremy Allison <jra@samba.org> | 2015-06-17 10:23:30 -0700 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2015-06-30 02:06:28 +0200 |
| commit | e700e9d4312a77066b344a763b2f05be7190e257 (patch) | |
| tree | 1d352ad7e6c09e3b0669c2d9020d1f1da5c3d83a | |
| parent | af4617aea187d701d1f43cc5faefd0f2302f60f3 (diff) | |
| download | samba-e700e9d4312a77066b344a763b2f05be7190e257.tar.gz | |
s3: smbd: Use separate flag to track become_root()/unbecome_root() state.
Early function exit can mean backup_priv is set but we haven't called
become_root(). *Lots* of work by the reviewers went in to checking this
isn't a security issue.
Found by Codenomicon at the Redmond plugfest.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11339
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jun 25 22:14:58 CEST 2015 on sn-devel-104
(cherry picked from commit e2c4b8967d33b610f9f076c614352e4b8fc7c558)
| -rw-r--r-- | source3/smbd/trans2.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index 2f2bbf6e067..a6a8b5db7c6 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -2363,6 +2363,7 @@ static void call_trans2findfirst(connection_struct *conn, struct smbd_server_connection *sconn = req->sconn; uint32_t ucf_flags = (UCF_SAVE_LCOMP | UCF_ALWAYS_ALLOW_WCARD_LCOMP); bool backup_priv = false; + bool as_root = false; if (total_params < 13) { reply_nterror(req, NT_STATUS_INVALID_PARAMETER); @@ -2428,6 +2429,7 @@ close_if_end = %d requires_resume_key = %d backup_priv = %d level = 0x%x, max_da if (backup_priv) { become_root(); + as_root = true; ntstatus = filename_convert_with_privilege(ctx, conn, req, @@ -2683,7 +2685,7 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd } out: - if (backup_priv) { + if (as_root) { unbecome_root(); } @@ -2737,6 +2739,7 @@ static void call_trans2findnext(connection_struct *conn, struct dptr_struct *dirptr; struct smbd_server_connection *sconn = req->sconn; bool backup_priv = false; + bool as_root = false; if (total_params < 13) { reply_nterror(req, NT_STATUS_INVALID_PARAMETER); @@ -2905,6 +2908,7 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd if (backup_priv) { become_root(); + as_root = true; } /* @@ -2996,7 +3000,7 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd dptr_close(sconn, &dptr_num); /* This frees up the saved mask */ } - if (backup_priv) { + if (as_root) { unbecome_root(); } |