48 lines
1.6 KiB
Diff
48 lines
1.6 KiB
Diff
From 8b26f634372f11edcbea33dfd68a3d57889dfcc5 Mon Sep 17 00:00:00 2001
|
|
From: Ralph Boehme <slow@samba.org>
|
|
Date: Tue, 1 Aug 2023 13:04:36 +0200
|
|
Subject: [PATCH] CVE-2023-4091: smbd: use open_access_mask for access check in
|
|
open_file()
|
|
|
|
If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
|
|
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
|
|
access check we're using access_mask which doesn't contain the additional
|
|
right, which means we can end up truncating a file for which the user has
|
|
only read-only access via an SD.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
|
|
|
|
Signed-off-by: Ralph Boehme <slow@samba.org>
|
|
|
|
Conflict: remove the modification of selftest/knownfail.d/samba3.smb2.acls and context adapt
|
|
Reference: https://github.com/samba-team/samba/commit/8b26f634372f11edcbea33dfd68a3d57889dfcc5
|
|
---
|
|
source3/smbd/open.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
|
|
index 951c8a9..913ca09 100644
|
|
--- a/source3/smbd/open.c
|
|
+++ b/source3/smbd/open.c
|
|
@@ -1240,7 +1240,7 @@ static NTSTATUS open_file(files_struct *fsp,
|
|
status = smbd_check_access_rights(conn,
|
|
smb_fname,
|
|
false,
|
|
- access_mask);
|
|
+ open_access_mask);
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
DEBUG(10, ("open_file: "
|
|
@@ -1381,7 +1381,7 @@ static NTSTATUS open_file(files_struct *fsp,
|
|
status = smbd_check_access_rights(conn,
|
|
smb_fname,
|
|
false,
|
|
- access_mask);
|
|
+ open_access_mask);
|
|
|
|
if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND) &&
|
|
(fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) &&
|
|
--
|
|
2.33.0
|
|
|