diff options
| author | Jeremy Allison <jra@samba.org> | 2019-08-06 12:08:09 -0700 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2019-10-24 12:34:28 +0200 |
| commit | 167f78aa97af6502cb2027dc9dad40399b0a9c4f (patch) | |
| tree | 9b31e73a46fa6c25b5e6aa5afe572e5c4fce37a9 | |
| parent | fc6022b9b19473076c4236fdf4ac474f44ca73e2 (diff) | |
| download | samba-167f78aa97af6502cb2027dc9dad40399b0a9c4f.tar.gz | |
CVE-2019-10218 - s3: libsmb: Protect SMB2 client code from evil server returned names.
Disconnect with NT_STATUS_INVALID_NETWORK_RESPONSE if so.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14071
Signed-off-by: Jeremy Allison <jra@samba.org>
| -rw-r--r-- | source3/libsmb/cli_smb2_fnum.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c index 1cfa50ffbac..3cdf68dc24b 100644 --- a/source3/libsmb/cli_smb2_fnum.c +++ b/source3/libsmb/cli_smb2_fnum.c @@ -1017,6 +1017,13 @@ NTSTATUS cli_smb2_list(struct cli_state *cli, goto fail; } + /* Protect against server attack. */ + status = is_bad_finfo_name(cli, finfo); + if (!NT_STATUS_IS_OK(status)) { + smbXcli_conn_disconnect(cli->conn, status); + goto fail; + } + if (dir_check_ftype((uint32_t)finfo->mode, (uint32_t)attribute)) { /* |