From 4e501fd8a3d7b1224960a895553cb7554ab5263c Mon Sep 17 00:00:00 2001
From: cperciva <cperciva@FreeBSD.org>
Date: Wed, 31 May 2006 22:32:22 +0000
Subject: Enable inadvertantly disabled "securenet" access controls in ypserv.
 [1]

Correct a bug in the handling of backslash characters in smbfs which can
allow an attacker to escape from a chroot(2). [2]

Security:	FreeBSD-SA-06:15.ypserv [1]
Security:	FreeBSD-SA-06:16.smbfs [2]
---
 sys/fs/smbfs/smbfs_vnops.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'sys/fs/smbfs')

diff --git a/sys/fs/smbfs/smbfs_vnops.c b/sys/fs/smbfs/smbfs_vnops.c
index d741c06..ebdb309 100644
--- a/sys/fs/smbfs/smbfs_vnops.c
+++ b/sys/fs/smbfs/smbfs_vnops.c
@@ -1018,11 +1018,18 @@ smbfs_advlock(ap)
 static int
 smbfs_pathcheck(struct smbmount *smp, const char *name, int nmlen, int nameiop)
 {
-	static const char *badchars = "*/\\:<>;?";
+	static const char *badchars = "*/:<>;?";
 	static const char *badchars83 = " +|,[]=";
 	const char *cp;
 	int i, error;
 
+	/*
+	 * Backslash characters, being a path delimiter, are prohibited
+	 * within a path component even for LOOKUP operations.
+	 */
+	if (index(name, '\\') != NULL)
+		return ENOENT;
+
 	if (nameiop == LOOKUP)
 		return 0;
 	error = ENOENT;
-- 
cgit v1.1