s3: smbd: Allow async dosmode to cope with ".." pathnames where we close smb_fname->fsp to prevent meta-data leakage.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14759

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit b004ebb1c62742346b84ecb9d52c783173528fac)

1 files changed, 14 insertions, 9 deletions

diff --git a/source3/smbd/dosmode.c b/source3/smbd/dosmode.c
index 43c46867122..99cb8607944 100644
--- a/source3/smbd/dosmode.c
+++ b/source3/smbd/dosmode.c
@@ -814,15 +814,20 @@ struct tevent_req *dos_mode_at_send(TALLOC_CTX *mem_ctx,
 	}
 
 	if (smb_fname->fsp == NULL) {
-		/*
-		 * The pathological case where a caller does
-		 * dos_mode_at_send() and smb_fname points at a
-		 * symlink in POSIX context. smb_fname->fsp is NULL.
-		 *
-		 * FIXME ? Should we move to returning
-		 * FILE_ATTRIBUTE_REPARSE_POINT here ?
-		 */
-		state->dosmode = FILE_ATTRIBUTE_NORMAL;
+		if (ISDOTDOT(smb_fname->base_name)) {
+			/*
+			 * smb_fname->fsp is explicitly closed
+			 * for ".." to prevent meta-data leakage.
+			 */
+			state->dosmode = FILE_ATTRIBUTE_DIRECTORY;
+		} else {
+			/*
+			 * This is a symlink in POSIX context.
+			 * FIXME ? Should we move to returning
+			 * FILE_ATTRIBUTE_REPARSE_POINT here ?
+			 */
+			state->dosmode = FILE_ATTRIBUTE_NORMAL;
+		}
 		tevent_req_done(req);
 		return tevent_req_post(req, ev);
 	}