From 9b60e55018532fcc0871d5c3f78e7376e0a19cd5 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 5 Dec 2016 14:13:14 -0800
Subject: [PATCH 1/3] s3: smbd: rename - missing early error exit if source and
 destination prefixes are different.

Noticed by Michael Zeis <mzeis.quantum@gmail.com>.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12460

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 2bfad1c9d3237ad8d174b7dc2d1e6e3c53fdb8dc)
---
 source3/smbd/reply.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 0aec433..6ddfa4f 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -6812,6 +6812,7 @@ NTSTATUS rename_internals_fsp(connection_struct *conn,
 
 	if (rename_path_prefix_equal(fsp->fsp_name, smb_fname_dst)) {
 		status = NT_STATUS_ACCESS_DENIED;
+		goto out;
 	}
 
 	lck = get_existing_share_mode_lock(talloc_tos(), fsp->file_id);
-- 
2.8.0.rc3.226.g39d4020


From 9165b30e522bf06c21ff9d651b10321b5d6f33ee Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 5 Dec 2016 14:32:03 -0800
Subject: [PATCH 2/3] s3: smbd: Make check_parent_access() available to rename
 code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12460

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit beb8a73e95e768565760f79c2a16586bafb4e58c)
---
 source3/smbd/open.c  | 2 +-
 source3/smbd/proto.h | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 9d10d19..e9bfdec 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -235,7 +235,7 @@ NTSTATUS smbd_check_access_rights(struct connection_struct *conn,
 	return NT_STATUS_OK;
 }
 
-static NTSTATUS check_parent_access(struct connection_struct *conn,
+NTSTATUS check_parent_access(struct connection_struct *conn,
 				struct smb_filename *smb_fname,
 				uint32_t access_mask)
 {
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index 352d28c..50ede9d 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -642,6 +642,9 @@ NTSTATUS smbd_check_access_rights(struct connection_struct *conn,
 				const struct smb_filename *smb_fname,
 				bool use_privs,
 				uint32_t access_mask);
+NTSTATUS check_parent_access(struct connection_struct *conn,
+				struct smb_filename *smb_fname,
+				uint32_t access_mask);
 NTSTATUS fd_open(struct connection_struct *conn, files_struct *fsp,
 		 int flags, mode_t mode);
 NTSTATUS fd_close(files_struct *fsp);
-- 
2.8.0.rc3.226.g39d4020


From f37952ce616e4b917e9ec464d8b037fc9c1c35ab Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 5 Dec 2016 14:32:55 -0800
Subject: [PATCH 3/3] s3: smbd: Add missing permissions check on destination
 folder.

Based on code from Michael Zeis <mzeis.quantum@gmail.com>.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12460

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 91b591224ab7f8ea7b4594da9f61efef14353f7f)
---
 source3/smbd/reply.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 6ddfa4f..6acbaca 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -6615,6 +6615,7 @@ NTSTATUS rename_internals_fsp(connection_struct *conn,
 	struct smb_filename *smb_fname_dst = NULL;
 	NTSTATUS status = NT_STATUS_OK;
 	struct share_mode_lock *lck = NULL;
+	uint32_t access_mask = SEC_DIR_ADD_FILE;
 	bool dst_exists, old_is_stream, new_is_stream;
 
 	status = check_name(conn, smb_fname_dst_in->base_name);
@@ -6815,6 +6816,22 @@ NTSTATUS rename_internals_fsp(connection_struct *conn,
 		goto out;
 	}
 
+	/* Do we have rights to move into the destination ? */
+	if (S_ISDIR(fsp->fsp_name->st.st_ex_mode)) {
+		/* We're moving a directory. */
+		access_mask = SEC_DIR_ADD_SUBDIR;
+	}
+	status = check_parent_access(conn,
+				smb_fname_dst,
+				access_mask);
+	if (!NT_STATUS_IS_OK(status)) {
+		DBG_INFO("check_parent_access on "
+			"dst %s returned %s\n",
+			smb_fname_str_dbg(smb_fname_dst),
+			nt_errstr(status));
+		goto out;
+	}
+
 	lck = get_existing_share_mode_lock(talloc_tos(), fsp->file_id);
 
 	/*
-- 
2.8.0.rc3.226.g39d4020