diff options
author | Ralph Boehme <slow@samba.org> | 2017-03-19 15:58:17 +0100 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2017-03-23 19:10:19 +0100 |
commit | 47b6b6f8f58efbabd7e4610f51db61dca2bc157c (patch) | |
tree | 6cf6deb4f7db40b22455a2e8a3b667e6ee00c741 /source3/smbd/smb2_query_directory.c | |
parent | 1e0df575bc32499f5249fe3fc78745bffdaff5a6 (diff) | |
download | samba-47b6b6f8f58efbabd7e4610f51db61dca2bc157c.tar.gz |
CVE-2017-2619: s3/smbd: re-open directory after dptr_CloseDir()
dptr_CloseDir() will close and invalidate the fsp's file descriptor, we
have to reopen it.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Diffstat (limited to 'source3/smbd/smb2_query_directory.c')
-rw-r--r-- | source3/smbd/smb2_query_directory.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/source3/smbd/smb2_query_directory.c b/source3/smbd/smb2_query_directory.c index e18a279d9b4..2af029bc613 100644 --- a/source3/smbd/smb2_query_directory.c +++ b/source3/smbd/smb2_query_directory.c @@ -24,6 +24,7 @@ #include "../libcli/smb/smb_common.h" #include "trans2.h" #include "../lib/util/tevent_ntstatus.h" +#include "system/filesys.h" static struct tevent_req *smbd_smb2_query_directory_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, @@ -322,7 +323,23 @@ static struct tevent_req *smbd_smb2_query_directory_send(TALLOC_CTX *mem_ctx, } if (in_flags & SMB2_CONTINUE_FLAG_REOPEN) { + int flags; + dptr_CloseDir(fsp); + + /* + * dptr_CloseDir() will close and invalidate the fsp's file + * descriptor, we have to reopen it. + */ + + flags = O_RDONLY; +#ifdef O_DIRECTORY + flags |= O_DIRECTORY; +#endif + status = fd_open(conn, fsp, flags, 0); + if (tevent_req_nterror(req, status)) { + return tevent_req_post(req, ev); + } } if (!smbreq->posix_pathnames) { |