aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorColin Percival <cperciva@FreeBSD.org>2006-05-31 22:35:32 +0000
committerColin Percival <cperciva@FreeBSD.org>2006-05-31 22:35:32 +0000
commit7459678c59a36ca2523460a638e17bc1d0365eec (patch)
tree22c9139c3d4039851e7157cf1f4161713e02de50
parent16bd853276cbaaea5922bca3bebd2452b4a985f7 (diff)
downloadsrc-7459678c59a36ca2523460a638e17bc1d0365eec.tar.gz
src-7459678c59a36ca2523460a638e17bc1d0365eec.zip
Correct a bug in the handling of backslash characters in smbfs which canreleng/4.10
allow an attacker to escape from a chroot(2). Approved by: so (cperciva) Security: FreeBSD-SA-06:16.smbfs
Notes
Notes: svn path=/releng/4.10/; revision=159120
-rw-r--r--UPDATING4
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--sys/fs/smbfs/smbfs_vnops.c9
3 files changed, 13 insertions, 2 deletions
diff --git a/UPDATING b/UPDATING
index 8883ad7b41bd..9b1cb9935930 100644
--- a/UPDATING
+++ b/UPDATING
@@ -17,6 +17,10 @@ minimal number of processes, if possible, for that patch. For those
updates that don't have an advisory, or to be safe, you can do a full
build and install as described in the COMMON ITEMS section.
+20060531: p24 FreeBSD-SA-06:16.smbfs
+ Correct a bug in the handling of backslash characters in smbfs
+ which can allow an attacker to escape from a chroot(2).
+
20060419: p23 FreeBSD-SA-06:14.fpu
Correct a local information leakage bug affecting AMD FPUs.
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 1dca0aafd682..80a460a774b1 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -36,7 +36,7 @@
TYPE="FreeBSD"
REVISION="4.10"
-BRANCH="RELEASE-p23"
+BRANCH="RELEASE-p24"
RELEASE="${REVISION}-${BRANCH}"
VERSION="${TYPE} ${RELEASE}"
diff --git a/sys/fs/smbfs/smbfs_vnops.c b/sys/fs/smbfs/smbfs_vnops.c
index ec7b381a0e0a..2588369cf873 100644
--- a/sys/fs/smbfs/smbfs_vnops.c
+++ b/sys/fs/smbfs/smbfs_vnops.c
@@ -1076,11 +1076,18 @@ smbfs_advlock(ap)
static int
smbfs_pathcheck(struct smbmount *smp, const char *name, int nmlen, int nameiop)
{
- static const char *badchars = "*/\\:<>;?";
+ static const char *badchars = "*/:<>;?";
static const char *badchars83 = " +|,[]=";
const char *cp;
int i, error;
+ /*
+ * Backslash characters, being a path delimiter, are prohibited
+ * within a path component even for LOOKUP operations.
+ */
+ if (index(name, '\\') != NULL)
+ return ENOENT;
+
if (nameiop == LOOKUP)
return 0;
error = ENOENT;