[SCM] Samba Shared Repository - branch v3-0-test updated -
initial-v3-0-unstable-20-g14ecfec
Gerald (Jerry) Carter
jerry at samba.org
Thu Nov 15 17:03:36 GMT 2007
The branch, v3-0-test has been updated
via 14ecfecbdf3e631f87d83337e06060724deb7756 (commit)
via 63918ac0f0a3767237210182f0f35840db87242c (commit)
via 96e61fb89caa9e9d500c3006b83299a7938d0af7 (commit)
via 99eea67a5a1114e499ece00f8b68ccbf2ec4ae75 (commit)
via a7c6fe1e3cb4d66a48f43a49fe31778adace2332 (commit)
from 1cdf89a02af6e7a2deed3f59519af97c10dbdaa3 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-test
- Log -----------------------------------------------------------------
commit 14ecfecbdf3e631f87d83337e06060724deb7756
Author: Gerald (Jerry) Carter <jerry at samba.org>
Date: Thu Nov 15 10:51:37 2007 -0600
Set release to 3.0.27a in development branch
commit 63918ac0f0a3767237210182f0f35840db87242c
Author: Gerald (Jerry) Carter <jerry at samba.org>
Date: Thu Nov 15 10:51:23 2007 -0600
Pull in release notes from 3.0.27 to the v3-0 development branch
commit 96e61fb89caa9e9d500c3006b83299a7938d0af7
Author: Gerald (Jerry) Carter <jerry at samba.org>
Date: Thu Nov 15 10:48:13 2007 -0600
Set version to 3.0.27a
commit 99eea67a5a1114e499ece00f8b68ccbf2ec4ae75
Author: Gerald (Jerry) Carter <jerry at samba.org>
Date: Wed Nov 14 20:54:44 2007 -0600
Fix for CVE-2007-4572
== Subject: Stack buffer overflow in nmbd's logon
== request processing.
==
== CVE ID#: CVE-2007-4572
==
== Versions: Samba 3.0.0 - 3.0.26a (inclusive)
...
Samba developers have discovered what is believed to be
a non-exploitable buffer over in nmbd during the processing
of GETDC logon server requests. This code is only used
when the Samba server is configured as a Primary or Backup
Domain Controller.
commit a7c6fe1e3cb4d66a48f43a49fe31778adace2332
Author: Gerald (Jerry) Carter <jerry at samba.org>
Date: Wed Nov 14 20:51:14 2007 -0600
Fix for CVE-2007-5398.
== Subject: Remote code execution in Samba's WINS
== server daemon (nmbd) when processing name
== registration followed name query requests.
==
== CVE ID#: CVE-2007-5398
==
== Versions: Samba 3.0.0 - 3.0.26a (inclusive)
...
Secunia Research reported a vulnerability that allows for
the execution of arbitrary code in nmbd. This defect may
only be exploited when the "wins support" parameter has
been enabled in smb.conf.
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 265 +++++++++++++++++++++++++++++++++++++++
source/VERSION | 4 +-
source/lib/charcnv.c | 4 +-
source/libsmb/ntlmssp_parse.c | 3 +-
source/nmbd/nmbd_packets.c | 6 +
source/nmbd/nmbd_processlogon.c | 89 +++++++++++--
source/smbd/lanman.c | 2 +-
7 files changed, 354 insertions(+), 19 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 5868036..d208c07 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,268 @@
+ ==============================
+ Release Notes for Samba 3.0.27
+ Nov 15, 2007
+ ==============================
+
+Samba 3.0.27 is a security release in order to address the following
+defects:
+
+ o CVS-2007-4572
+ Stack buffer overflow in nmbd's logon request processing.
+
+ o CVE-2007-5398
+ Remote code execution in Samba's WINS server daemon (nmbd)
+ when processing name registration followed name query requests.
+
+The original security announcement for this and past advisories can
+be found http://www.samba.org/samba/security/
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.26a
+---------------------
+
+o Jeremy Allison <jra at samba.org>
+ * Fix for CVS-2007-4572.
+ * Fix for CVE-2007-5398.
+
+
+o Simo Sorce <idra at samba.org>
+ * Additional fixes for CVS-2007-4572.
+
+
+Release notes for older releases follow:
+
+ --------------------------------------------------
+ ===============================
+ Release Notes for Samba 3.0.26a
+ Sep 11, 2007
+ ===============================
+
+Major bug fixes included in Samba 3.0.26a are:
+
+ o Memory leaks in Winbind's IDMap manager.
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.26
+--------------------
+
+o Michael Adam <obnox at samba.org>
+ * Fix read_sock() semantics in wb_common.c to address "invalid
+ request size" errors in winbindd logs.
+ * Fix use of pwrite() in tdb IO code paths.
+
+
+o Jeremy Allison <jra at samba.org>
+ * Fix logic error in timeout of blocking lock processing.
+
+
+o Guenther Deschner <gd at samba.org>
+ * Fix error code in the msrpc EnumerateDomainGroups() Winbind
+ method when a memory allocation fails.
+ * Fix Winbind initialization storms when contacting an older Samba DC.
+
+
+o Volker Lendecke <vl at samba.org>
+ * Fix compile failure in NFSv4 VFS module.
+ * Fix compile failures on True64.
+ * Fix compile failure in unmaintained python bindings.
+ * BUG 4917: Fix memory leaks in Winbind's idmap_ldap and
+ idmap_cache backends.
+ * Coverity fixes in the group mapping code.
+
+
+o Derrell Lipman <derrell at samba.org>
+ * Remove NetBIOS keepalives from libsmbclient and consolidate on
+ the use of getpeername() when checking connection health.
+ * Use formal syntax for invoking function pointers in
+ libsmbclient.
+
+
+o Lars Mueller <lars at samba.org>
+ * Fixes for Winbind's AD site support when the host is not
+ configured in any site or nor DC's are present within the host's
+ configured site.
+
+
+o Simo Sorce <idra at samba.org>
+ * Debian packaging updates for 3.0.25c.
+ * Add sanity checks for "smb ports" values.
+ * Fix compile issues related to the VFS "open" method and newer
+ glibc implementations.
+ * Fix a segv in smbldap_set_creds() when using an anonymous
+ connection.
+ * BUG 4772: Fix us of ldap_base_dn for the idmap_ldap plugin.
+
+
+Release notes for older releases follow:
+
+ --------------------------------------------------
+ ==============================
+ Release Notes for Samba 3.0.26
+ Sep 11, 2007
+ ==============================
+
+This is a security release of Samba 3.0 to address
+
+ o CVE-2007-4138
+ Versions: All Samba 3.0.25 releases
+ Incorrect primary group assignment for
+ domain users using the rfc2307 or sfu
+ winbind nss info plugin.
+
+The original security announcement for this and past advisories
+can be found http://www.samba.org/samba/security/
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.25c
+---------------------
+
+o Gerald (Jerry) Carter <jerry at samba.org>
+ * Fix CVE-2007-4138 in the "winbind nss info = {sfu | rfc2307}"
+ plugin (idmap_ad.c)
+
+
+ --------------------------------------------------
+ ===============================
+ Release Notes for Samba 3.0.25c
+ Aug 20, 2007
+ ===============================
+
+Major bug fixes included in Samba 3.0.25c are:
+
+ o File sharing with Widows 9x clients.
+ o Winbind running out of file descriptors due to stalled
+ child processes.
+ o MS-DFS inter-operability issues.
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.25b
+---------------------
+
+o Michael Adam <obnox at samba.org>
+ * Fix incorrect log messages in tdbbackup.
+ * Fix a bug in pwrite error detection in tdb_expand_file().
+
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 4711: Make cli_connect() return NT_STATUS codes.
+ * Ensure we obey Unicode consortium restrictions. Based on
+ patch from MORIYAMA Masayuki.
+ * BUG 3204: Cope with stalled winbindd child processes and
+ prevent the parent winbindd process from running out of file
+ descriptors.
+ * Fix realloc leak on failure case from Jim Meyering.
+ * BUG 4759: Fix crash in ber_printf() caused invalid tag.
+ * BUG 4763: Limit notify responses to client max buf size.
+ * BUG 4777: Doing a DFS traverse through a deep link could fail
+ (not using explorer).
+ * BUG 4779: Setting the allocation size updates the modified
+ time as a write does.
+ * BUG 4308: Fix interaction with MS Excel and POSIX ACLs.
+ * Fix POSIX unlink bug found by the Linux CIFS fs client.
+ * Stop counting locks if we get a POSIX lock request.
+ * Fix interaction between Linux CIFS fs client and Windows
+ clients when the former tries to remove a file opened by the
+ latter.
+ * Fix incorrect mapping of invalid resume names in FindNext
+ commands.
+ * Cope with dead entries in the locking database tied to
+ non-existent processes (merge from 3.2-ctdb).
+ * Fix MS-DFS related renaming bug in smbclient.
+ * Fix for write cache corruption bug.
+ * Fix invalid vuid from being returned by a failed call to
+ cli_session_setup_spnego.().
+ * Fixes for error mappings from NT_STATUS to the appropriate DOS
+ error codes in reply_opeNXXX() calls.
+
+
+o Ofir Azoulay <Ofir.Azoulay at expand.com>
+ * Only look at errno set by SMB_VFS_CLOSE() if the call actually
+ failed.
+
+
+o Alexander Bokovoy <ab at samba.org>
+ * Fix vfs_readahead: transparent modules should always pass
+ through.
+
+
+o David S. Collier-Brown <davecb at spamcop.net>
+ * BUG 4897: Fix Solaris xattr misdeclarations.
+
+
+o Guenther Deschner <gd at samba.org>
+ * Remove redundant pointer checks when freeing memory in winbindd.
+ * BUG 4408: Remove last traces of Heimdal KCM support.
+ * Fix bug in user Krb5 ticket refresh feature in winbindd.
+ * Fix Heimdal path in the krb5 renew routine.
+ * Unused code cleanup in winbindd.
+
+
+o SATOH Fumiyasu <fumiyas at osstech.co.jp>
+ * BUG 4750: smbc_telldir_ctx() was not returning a value useful
+ to smbc_lseekdir_ctx().
+
+
+o Bjoern Jacke <bj at sernet.de>
+ * Add support for Extended Attributes on Solaris.
+
+
+o Matthijs Kooijman <matthijs at stdin.nl>
+ * BUG 4836: Fix incorrect log message in the nss_info
+ plugin init call.
+ * BUG 4849: Fix "net ads dns register" usage text.
+
+
+o Volker Lendecke <vl at samba.org>
+ * Port cli_connect() NT_STATUS fixes to smbmount.
+ * Add notes about smbfs/cifs to usage() in smb[u]mount.
+ * BUG 4792: Fix pidfile name bug.
+ * Fix missing END_PROFILE() call in the SMBunlink reply.
+ * Coverity fixes.
+ * Correct logic error in change notify code that would result in
+ an endless loop.
+ * Fix uninitialized reads in the spoolss GetPrinterData() replies.
+ * Fix file overwrites from Windows 9x clients.
+
+
+o Herb Lewis <herb at samba.org>
+ * Unused code cleanup.
+ * Avoid a crash in "net rpc info" when no username has
+ been specified.
+ * Remove biconv detection on *BSD.
+
+
+o Derrell Lipman <derrell at samba.org>
+ * Get/Set ACL fixes in libsmbclient.
+
+
+o Jan Martin <Jan.Martin at rwedea.com>
+ * BUG 4860: Patches for fixing MS-DFS links with trailing
+ back slashes.
+
+
+o Jim McDonough <jmcd at us.ibm.com>
+ * BUG 4719: "Must change password" is not set from usrmgr.exe.
+
+
+o Atsushi Nakabayashi <nakabayashi at miraclelinux.com>
+ * Ensure proper exit when nmbd is unable to reopen the wins.tdb.
+ * Fix error path memleaks in the messaging subsystem.
+
+ --------------------------------------------------
===============================
Release Notes for Samba 3.0.25b
June 20, 2007
diff --git a/source/VERSION b/source/VERSION
index dac2ecd..002f246 100644
--- a/source/VERSION
+++ b/source/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=3
SAMBA_VERSION_MINOR=0
-SAMBA_VERSION_RELEASE=26
+SAMBA_VERSION_RELEASE=27
########################################################
# Bug fix releases use a letter for the patch revision #
@@ -36,7 +36,7 @@ SAMBA_VERSION_RELEASE=26
# e.g. SAMBA_VERSION_REVISION=a #
# -> "2.2.8a" #
########################################################
-SAMBA_VERSION_REVISION=b
+SAMBA_VERSION_REVISION=
########################################################
# For 'pre' releases the version will be #
diff --git a/source/lib/charcnv.c b/source/lib/charcnv.c
index 8d5fbc8..2341429 100644
--- a/source/lib/charcnv.c
+++ b/source/lib/charcnv.c
@@ -872,9 +872,9 @@ size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags)
size_t src_len = strlen(src);
pstring tmpbuf;
- /* treat a pstring as "unlimited" length */
+ /* No longer allow a length of -1 */
if (dest_len == (size_t)-1)
- dest_len = sizeof(pstring);
+ smb_panic("push_ascii - dest_len == -1");
if (flags & STR_UPPER) {
pstrcpy(tmpbuf, src);
diff --git a/source/libsmb/ntlmssp_parse.c b/source/libsmb/ntlmssp_parse.c
index e715048..38a65d3 100644
--- a/source/libsmb/ntlmssp_parse.c
+++ b/source/libsmb/ntlmssp_parse.c
@@ -152,7 +152,8 @@ BOOL msrpc_gen(DATA_BLOB *blob,
break;
case 'C':
s = va_arg(ap, char *);
- head_ofs += push_string(NULL, blob->data+head_ofs, s, -1,
+ n = str_charnum(s) + 1;
+ head_ofs += push_string(NULL, blob->data+head_ofs, s, n,
STR_ASCII|STR_TERMINATE);
break;
}
diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c
index 87a38b9..bbcc1ec 100644
--- a/source/nmbd/nmbd_packets.c
+++ b/source/nmbd/nmbd_packets.c
@@ -963,6 +963,12 @@ for id %hu\n", packet_type, nmb_namestr(&orig_nmb->question.question_name),
nmb->answers->ttl = ttl;
if (data && len) {
+ if (len < 0 || len > sizeof(nmb->answers->rdata)) {
+ DEBUG(5,("reply_netbios_packet: "
+ "invalid packet len (%d)\n",
+ len ));
+ return;
+ }
nmb->answers->rdlength = len;
memcpy(nmb->answers->rdata, data, len);
}
diff --git a/source/nmbd/nmbd_processlogon.c b/source/nmbd/nmbd_processlogon.c
index 1672b03..05e82a4 100644
--- a/source/nmbd/nmbd_processlogon.c
+++ b/source/nmbd/nmbd_processlogon.c
@@ -135,7 +135,9 @@ logons are not enabled.\n", inet_ntoa(p->ip) ));
fstrcpy(reply_name, "\\\\");
fstrcat(reply_name, my_name);
- push_ascii_fstring(q, reply_name);
+ push_ascii(q,reply_name,
+ sizeof(outbuf)-PTR_DIFF(q, outbuf),
+ STR_TERMINATE);
q = skip_string(outbuf,sizeof(outbuf),q); /* PDC name */
SSVAL(q, 0, token);
@@ -231,7 +233,9 @@ logons are not enabled.\n", inet_ntoa(p->ip) ));
q += 2;
fstrcpy(reply_name,my_name);
- push_ascii_fstring(q, reply_name);
+ push_ascii(q, reply_name,
+ sizeof(outbuf)-PTR_DIFF(q, outbuf),
+ STR_TERMINATE);
q = skip_string(outbuf,sizeof(outbuf),q); /* PDC name */
/* PDC and domain name */
@@ -239,8 +243,15 @@ logons are not enabled.\n", inet_ntoa(p->ip) ));
/* Make a full reply */
q = ALIGN2(q, outbuf);
- q += dos_PutUniCode(q, my_name, sizeof(pstring), True); /* PDC name */
- q += dos_PutUniCode(q, lp_workgroup(),sizeof(pstring), True); /* Domain name*/
+ q += dos_PutUniCode(q, my_name,
+ sizeof(outbuf) - PTR_DIFF(q, outbuf),
+ True); /* PDC name */
+ q += dos_PutUniCode(q, lp_workgroup(),
+ sizeof(outbuf) - PTR_DIFF(q, outbuf),
+ True); /* Domain name*/
+ if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 8) {
+ return;
+ }
SIVAL(q, 0, 1); /* our nt version */
SSVAL(q, 4, 0xffff); /* our lmnttoken */
SSVAL(q, 6, 0xffff); /* our lm20token */
@@ -376,9 +387,15 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n",
q += 2;
- q += dos_PutUniCode(q, reply_name,sizeof(pstring), True);
- q += dos_PutUniCode(q, ascuser, sizeof(pstring), True);
- q += dos_PutUniCode(q, lp_workgroup(),sizeof(pstring), True);
+ q += dos_PutUniCode(q, reply_name,
+ sizeof(outbuf) - PTR_DIFF(q, outbuf),
+ True);
+ q += dos_PutUniCode(q, ascuser,
+ sizeof(outbuf) - PTR_DIFF(q, outbuf),
+ True);
+ q += dos_PutUniCode(q, lp_workgroup(),
+ sizeof(outbuf) - PTR_DIFF(q, outbuf),
+ True);
}
#ifdef HAVE_ADS
else {
@@ -394,6 +411,9 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n",
get_mydnsdomname(domain);
get_myname(hostname);
+ if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 8) {
+ return;
+ }
if (SVAL(uniuser, 0) == 0) {
SIVAL(q, 0, SAMLOGON_AD_UNK_R); /* user unknown */
} else {
@@ -406,6 +426,9 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n",
q += 4;
/* Push Domain GUID */
+ if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < UUID_FLAT_SIZE) {
+ return;
+ }
if (False == secrets_fetch_domain_guid(domain, &domain_guid)) {
DEBUG(2, ("Could not fetch DomainGUID for %s\n", domain));
return;
@@ -421,12 +444,20 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n",
q1 = q;
while ((component = strtok(dc, "."))) {
dc = NULL;
- size = push_ascii(&q[1], component, -1, 0);
+ if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 1) {
+ return;
+ }
+ size = push_ascii(&q[1], component,
+ sizeof(outbuf) - PTR_DIFF(q+1, outbuf),
+ 0);
SCVAL(q, 0, size);
q += (size + 1);
}
/* Unk0 */
+ if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 4) {
+ return;
+ }
SCVAL(q, 0, 0);
q++;
@@ -436,44 +467,72 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n",
q += 2;
/* Hostname */
- size = push_ascii(&q[1], hostname, -1, 0);
+ size = push_ascii(&q[1], hostname,
+ sizeof(outbuf) - PTR_DIFF(q+1, outbuf),
+ 0);
SCVAL(q, 0, size);
q += (size + 1);
+
+ if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 3) {
+ return;
+ }
+
SCVAL(q, 0, 0xc0 | ((str_offset >> 8) & 0x3F));
SCVAL(q, 1, str_offset & 0xFF);
q += 2;
/* NETBIOS of domain */
- size = push_ascii(&q[1], lp_workgroup(), -1, STR_UPPER);
+ size = push_ascii(&q[1], lp_workgroup(),
+ sizeof(outbuf) - PTR_DIFF(q+1, outbuf),
+ STR_UPPER);
SCVAL(q, 0, size);
q += (size + 1);
/* Unk1 */
+ if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 2) {
+ return;
+ }
SCVAL(q, 0, 0);
q++;
/* NETBIOS of hostname */
- size = push_ascii(&q[1], my_name, -1, 0);
+ size = push_ascii(&q[1], my_name,
+ sizeof(outbuf) - PTR_DIFF(q+1, outbuf),
+ 0);
SCVAL(q, 0, size);
q += (size + 1);
/* Unk2 */
+ if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 4) {
+ return;
+ }
SCVAL(q, 0, 0);
q++;
/* User name */
if (SVAL(uniuser, 0) != 0) {
- size = push_ascii(&q[1], ascuser, -1, 0);
+ size = push_ascii(&q[1], ascuser,
--
Samba Shared Repository
More information about the samba-cvs
mailing list