Enable inadvertantly disabled "securenet" access controls in ypserv. [1]

Correct a bug in the handling of backslash characters in smbfs which can
allow an attacker to escape from a chroot(2). [2]

Approved by:	so (cperciva)
Security:	FreeBSD-SA-06:15.ypserv [1]
Security:	FreeBSD-SA-06:16.smbfs [2]

4 files changed, 38 insertions, 17 deletions

diff --git a/UPDATING b/UPDATING
index fbe7292c9c9b..6ee3c688c79f 100644
--- a/UPDATING
+++ b/UPDATING
@@ -8,6 +8,13 @@ Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running
 portupgrade.  Important recent entries: 20040724 (default X changes).
 
+20060531:	p15	FreeBSD-SA-06:15.ypserv, FreeBSD-SA-06:16.smbfs
+	Enable inadvertantly disabled "securenet" access controls in
+	ypserv. [06:15]
+
+	Correct a bug in the handling of backslash characters in smbfs
+	which can allow an attacker to escape from a chroot(2). [06:16]
+
 20060419:	p14	FreeBSD-SA-06:14.fpu
 	Correct a local information leakage bug affecting AMD FPUs.
 
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 2c8d4731da45..9f8b16f01e80 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="5.4"
-BRANCH="RELEASE-p14"
+BRANCH="RELEASE-p15"
 RELEASE="${REVISION}-${BRANCH}"
 VERSION="${TYPE} ${RELEASE}"
 
diff --git a/sys/fs/smbfs/smbfs_vnops.c b/sys/fs/smbfs/smbfs_vnops.c
index 3ac2ffdca0d9..0102ee0f7446 100644
--- a/sys/fs/smbfs/smbfs_vnops.c
+++ b/sys/fs/smbfs/smbfs_vnops.c
@@ -1038,11 +1038,18 @@ smbfs_advlock(ap)
 static int
 smbfs_pathcheck(struct smbmount *smp, const char *name, int nmlen, int nameiop)
 {
-	static const char *badchars = "*/\\:<>;?";
+	static const char *badchars = "*/:<>;?";
 	static const char *badchars83 = " +|,[]=";
 	const char *cp;
 	int i, error;
 
+	/*
+	 * Backslash characters, being a path delimiter, are prohibited
+	 * within a path component even for LOOKUP operations.
+	 */
+	if (index(name, '\\') != NULL)
+		return ENOENT;
+
 	if (nameiop == LOOKUP)
 		return 0;
 	error = ENOENT;
diff --git a/usr.sbin/ypserv/yp_access.c b/usr.sbin/ypserv/yp_access.c
index b9063092c2cc..30ce7407c6e5 100644
--- a/usr.sbin/ypserv/yp_access.c
+++ b/usr.sbin/ypserv/yp_access.c
@@ -87,12 +87,6 @@ const char *yp_procs[] = {
 	"ypproc_maplist"
 };
 
-#ifdef TCP_WRAPPER
-void
-load_securenets(void)
-{
-}
-#else
 struct securenet {
 	struct in_addr net;
 	struct in_addr mask;
@@ -177,7 +171,6 @@ load_securenets(void)
 	fclose(fp);
 
 }
-#endif
 
 /*
  * Access control functions.
@@ -219,11 +212,12 @@ yp_access(const char *map, const struct svc_req *rqstp)
 #endif
 {
 	struct sockaddr_in *rqhost;
-	int status = 0;
+	int status_securenets = 0;
+#ifdef TCP_WRAPPER
+	int status_tcpwrap;
+#endif
 	static unsigned long oldaddr = 0;
-#ifndef TCP_WRAPPER
 	struct securenet *tmp;
-#endif
 	const char *yp_procedure = NULL;
 	char procbuf[50];
 
@@ -274,21 +268,34 @@ not privileged", map, inet_ntoa(rqhost->sin_addr), ntohs(rqhost->sin_port));
 	}
 
 #ifdef TCP_WRAPPER
-	status = hosts_ctl("ypserv", STRING_UNKNOWN,
+	status_tcpwrap = hosts_ctl("ypserv", STRING_UNKNOWN,
 			   inet_ntoa(rqhost->sin_addr), "");
-#else
+#endif
 	tmp = securenets;
 	while (tmp) {
 		if (((rqhost->sin_addr.s_addr & ~tmp->mask.s_addr)
 		    | tmp->net.s_addr) == rqhost->sin_addr.s_addr) {
-			status = 1;
+			status_securenets = 1;
 			break;
 		}
 		tmp = tmp->next;
 	}
-#endif
 
-	if (!status) {
+#ifdef TCP_WRAPPER
+	if (status_securenets == 0 || status_tcpwrap == 0) {
+#else
+	if (status_securenets == 0) {
+#endif
+	/*
+	 * One of the following two events occured:
+	 *
+	 * (1) The /var/yp/securenets exists and the remote host does not
+	 *     match any of the networks specified in it.
+	 * (2) The hosts.allow file has denied access and TCP_WRAPPER is
+	 *     defined.
+	 *
+	 * In either case deny access.
+	 */
 		if (rqhost->sin_addr.s_addr != oldaddr) {
 			yp_error("connect from %s:%d to procedure %s refused",
 					inet_ntoa(rqhost->sin_addr),