[PATCH] smbfs chroot issue (CVE-2006-1864) Mark Moseley reported that a chroot environment on a SMB share can be left via "cd ..\\". Similar to CVE-2006-1863 issue with cifs, this fix is for smbfs. Steven French <sfrench@us.ibm.com> wrote: Looks fine to me. This should catch the slash on lookup or equivalent, which will be all obvious paths of interest. Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>

commit: 3b7c8108273bed41a2fc04533cc9f2026ff38c8e [log] [tgz]
author: Olaf Kirch <okir@suse.de> Mon May 15 09:43:57 2006 -0700
committer: Linus Torvalds <torvalds@g5.osdl.org> Mon May 15 11:20:55 2006 -0700
tree: d437254b0cd1b07ecc33631fea13ad79f925353b
parent: a7b862f663d81858531dfccc0537bc9d8a2a4121 [diff]
diff --git a/fs/smbfs/dir.c b/fs/smbfs/dir.c
index 34c7a11..70d9c5a 100644
--- a/fs/smbfs/dir.c
+++ b/fs/smbfs/dir.c

@@ -434,6 +434,11 @@
 	if (dentry->d_name.len > SMB_MAXNAMELEN)
 		goto out;
 
+	/* Do not allow lookup of names with backslashes in */
+	error = -EINVAL;
+	if (memchr(dentry->d_name.name, '\\', dentry->d_name.len))
+		goto out;
+
 	lock_kernel();
 	error = smb_proc_getattr(dentry, &finfo);
 #ifdef SMBFS_PARANOIA
commit	3b7c8108273bed41a2fc04533cc9f2026ff38c8e	[log] [tgz]
author	Olaf Kirch <okir@suse.de>	Mon May 15 09:43:57 2006 -0700
committer	Linus Torvalds <torvalds@g5.osdl.org>	Mon May 15 11:20:55 2006 -0700
tree	d437254b0cd1b07ecc33631fea13ad79f925353b
parent	a7b862f663d81858531dfccc0537bc9d8a2a4121 [diff]