The patch titled
smbfs chroot issue (CVE-2006-1864)
has been removed from the -mm tree. Its filename is
smbfs-chroot-issue-cve-2006-1864.patch
This patch was probably dropped from -mm because
it has now been merged into a subsystem tree or
into Linus's tree, or because it was folded into
its parent patch in the -mm tree.
From: Olaf Kirch <okir@xxxxxxx>
Mark Moseley reported that a chroot environment on a SMB share can be left
via "cd ..\\". Similar to CVE-2006-1863 issue with cifs, this fix is for
smbfs.
Steven French <sfrench@xxxxxxxxxx> wrote:
Looks fine to me. This should catch the slash on lookup or equivalent,
which will be all obvious paths of interest.
Signed-off-by: Chris Wright <chrisw@xxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---
fs/smbfs/dir.c | 5 +++++
1 files changed, 5 insertions(+)
diff -puN fs/smbfs/dir.c~smbfs-chroot-issue-cve-2006-1864 fs/smbfs/dir.c
--- devel/fs/smbfs/dir.c~smbfs-chroot-issue-cve-2006-1864 2006-05-15 09:43:24.000000000 -0700
+++ devel-akpm/fs/smbfs/dir.c 2006-05-15 09:43:24.000000000 -0700
@@ -434,6 +434,11 @@ smb_lookup(struct inode *dir, struct den
if (dentry->d_name.len > SMB_MAXNAMELEN)
goto out;
+ /* Do not allow lookup of names with backslashes in */
+ error = -EINVAL;
+ if (memchr(dentry->d_name.name, '\\', dentry->d_name.len))
+ goto out;
+
lock_kernel();
error = smb_proc_getattr(dentry, &finfo);
#ifdef SMBFS_PARANOIA
_
Patches currently in -mm which might be from okir@xxxxxxx are
origin.patch
-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
