[SCM] Samba Shared Repository - branch v3-0-test updated - initial-v3-0-unstable-20-g14ecfec

Gerald (Jerry) Carter jerry at samba.org
Thu Nov 15 17:03:36 GMT 2007


The branch, v3-0-test has been updated
       via  14ecfecbdf3e631f87d83337e06060724deb7756 (commit)
       via  63918ac0f0a3767237210182f0f35840db87242c (commit)
       via  96e61fb89caa9e9d500c3006b83299a7938d0af7 (commit)
       via  99eea67a5a1114e499ece00f8b68ccbf2ec4ae75 (commit)
       via  a7c6fe1e3cb4d66a48f43a49fe31778adace2332 (commit)
      from  1cdf89a02af6e7a2deed3f59519af97c10dbdaa3 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-test


- Log -----------------------------------------------------------------
commit 14ecfecbdf3e631f87d83337e06060724deb7756
Author: Gerald (Jerry) Carter <jerry at samba.org>
Date:   Thu Nov 15 10:51:37 2007 -0600

    Set release to 3.0.27a in development branch

commit 63918ac0f0a3767237210182f0f35840db87242c
Author: Gerald (Jerry) Carter <jerry at samba.org>
Date:   Thu Nov 15 10:51:23 2007 -0600

    Pull in release notes from 3.0.27 to the v3-0 development branch

commit 96e61fb89caa9e9d500c3006b83299a7938d0af7
Author: Gerald (Jerry) Carter <jerry at samba.org>
Date:   Thu Nov 15 10:48:13 2007 -0600

    Set version to 3.0.27a

commit 99eea67a5a1114e499ece00f8b68ccbf2ec4ae75
Author: Gerald (Jerry) Carter <jerry at samba.org>
Date:   Wed Nov 14 20:54:44 2007 -0600

    Fix for CVE-2007-4572
    
    == Subject:     Stack buffer overflow in nmbd's logon
    ==              request processing.
    ==
    == CVE ID#:     CVE-2007-4572
    ==
    == Versions:    Samba 3.0.0 - 3.0.26a (inclusive)
    
    ...
    Samba developers have discovered what is believed to be
    a non-exploitable buffer over in nmbd during the processing
    of GETDC logon server requests.  This code is only used
    when the Samba server is configured as a Primary or Backup
    Domain Controller.

commit a7c6fe1e3cb4d66a48f43a49fe31778adace2332
Author: Gerald (Jerry) Carter <jerry at samba.org>
Date:   Wed Nov 14 20:51:14 2007 -0600

    Fix for CVE-2007-5398.
    
    == Subject:     Remote code execution in Samba's WINS
    ==              server daemon (nmbd) when processing name
    ==              registration followed name query requests.
    ==
    == CVE ID#:     CVE-2007-5398
    ==
    == Versions:    Samba 3.0.0 - 3.0.26a (inclusive)
    ...
    Secunia Research reported a vulnerability that allows for
    the execution of arbitrary code in nmbd.  This defect may
    only be exploited when the "wins support" parameter has
    been enabled in smb.conf.

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt                    |  265 +++++++++++++++++++++++++++++++++++++++
 source/VERSION                  |    4 +-
 source/lib/charcnv.c            |    4 +-
 source/libsmb/ntlmssp_parse.c   |    3 +-
 source/nmbd/nmbd_packets.c      |    6 +
 source/nmbd/nmbd_processlogon.c |   89 +++++++++++--
 source/smbd/lanman.c            |    2 +-
 7 files changed, 354 insertions(+), 19 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 5868036..d208c07 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,268 @@
+                   ==============================
+                   Release Notes for Samba 3.0.27
+                            Nov 15, 2007
+                   ==============================
+
+Samba 3.0.27 is a security release in order to address the following
+defects:
+
+  o CVS-2007-4572
+    Stack buffer overflow in nmbd's logon request processing.
+
+  o CVE-2007-5398
+    Remote code execution in Samba's WINS server daemon (nmbd) 
+    when processing name registration followed name query requests.
+
+The original security announcement for this and past advisories can 
+be found http://www.samba.org/samba/security/
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.26a
+---------------------
+
+o   Jeremy Allison <jra at samba.org>
+    * Fix for CVS-2007-4572.
+    * Fix for CVE-2007-5398.
+
+
+o   Simo Sorce <idra at samba.org>
+    * Additional fixes for CVS-2007-4572.
+
+
+Release notes for older releases follow:
+
+      --------------------------------------------------
+                   ===============================
+                   Release Notes for Samba 3.0.26a
+                             Sep 11, 2007
+                   ===============================
+
+Major bug fixes included in Samba 3.0.26a are:
+
+  o Memory leaks in Winbind's IDMap manager.
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.26
+--------------------
+
+o   Michael Adam <obnox at samba.org>
+    * Fix read_sock() semantics in wb_common.c to address "invalid
+      request size" errors in winbindd logs.
+    * Fix use of pwrite() in tdb IO code paths.
+
+     
+o   Jeremy Allison <jra at samba.org>
+    * Fix logic error in timeout of blocking lock processing.
+
+
+o   Guenther Deschner <gd at samba.org>
+    * Fix error code in the msrpc EnumerateDomainGroups() Winbind
+      method when a memory allocation fails.
+    * Fix Winbind initialization storms when contacting an older Samba DC.
+
+    
+o   Volker Lendecke <vl at samba.org>
+    * Fix compile failure in NFSv4 VFS module.
+    * Fix compile failures on True64.
+    * Fix compile failure in unmaintained python bindings.
+    * BUG 4917: Fix memory leaks in Winbind's idmap_ldap and
+      idmap_cache backends.
+    * Coverity fixes in the group mapping code.
+
+
+o   Derrell Lipman <derrell at samba.org>
+    * Remove NetBIOS keepalives from libsmbclient and consolidate on
+      the use of getpeername() when checking connection health.
+    * Use formal syntax for invoking function pointers in
+      libsmbclient.
+
+
+o   Lars Mueller <lars at samba.org>
+    * Fixes for Winbind's AD site support when the host is not
+      configured in any site or nor DC's are present within the host's
+      configured site.
+
+
+o   Simo Sorce <idra at samba.org>
+    * Debian packaging updates for 3.0.25c.
+    * Add sanity checks for "smb ports" values.
+    * Fix compile issues related to the VFS "open" method and newer
+      glibc implementations.
+    * Fix a segv in smbldap_set_creds() when using an anonymous
+      connection.
+    * BUG 4772: Fix us of ldap_base_dn for the idmap_ldap plugin.
+
+
+Release notes for older releases follow:
+
+      --------------------------------------------------
+                   ==============================
+                   Release Notes for Samba 3.0.26
+                             Sep 11, 2007
+                   ==============================
+
+This is a security release of Samba 3.0 to address
+
+  o CVE-2007-4138
+	Versions: All Samba 3.0.25 releases
+	Incorrect primary group assignment for
+	domain users using the rfc2307 or sfu
+	winbind nss info plugin.
+
+The original security announcement for this and past advisories
+can be found http://www.samba.org/samba/security/
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.25c
+---------------------
+
+o   Gerald (Jerry) Carter <jerry at samba.org>
+    * Fix CVE-2007-4138 in the "winbind nss info = {sfu | rfc2307}"
+      plugin (idmap_ad.c)
+
+
+      --------------------------------------------------
+                   ===============================
+                   Release Notes for Samba 3.0.25c
+                             Aug 20, 2007
+                   ===============================
+
+Major bug fixes included in Samba 3.0.25c are:
+
+  o File sharing with Widows 9x clients.
+  o Winbind running out of file descriptors due to stalled 
+    child processes.
+  o MS-DFS inter-operability issues.
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.25b
+---------------------
+
+o   Michael Adam <obnox at samba.org>
+    * Fix incorrect log messages in tdbbackup.
+    * Fix a bug in pwrite error detection in tdb_expand_file().
+
+
+o   Jeremy Allison <jra at samba.org>
+    * BUG 4711: Make cli_connect() return NT_STATUS codes.
+    * Ensure we obey Unicode consortium restrictions.  Based on 
+      patch from MORIYAMA Masayuki.
+    * BUG 3204: Cope with stalled winbindd child processes and 
+      prevent the parent winbindd process from running out of file  
+      descriptors.
+    * Fix realloc leak on failure case from Jim Meyering.
+    * BUG 4759: Fix crash in ber_printf() caused invalid tag.
+    * BUG 4763: Limit notify responses to client max buf size.      
+    * BUG 4777: Doing a DFS traverse through a deep link could fail
+      (not using explorer).
+    * BUG 4779: Setting the allocation size updates the modified 
+      time as a write does.
+    * BUG 4308: Fix interaction with MS Excel and POSIX ACLs.
+    * Fix POSIX unlink bug found by the Linux CIFS fs client.
+    * Stop counting locks if we get a POSIX lock request.
+    * Fix interaction between Linux CIFS fs client and Windows
+      clients when the former tries to remove a file opened by the 
+      latter.
+    * Fix incorrect mapping of invalid resume names in FindNext 
+      commands.
+    * Cope with dead entries in the locking database tied to 
+      non-existent processes (merge from 3.2-ctdb).
+    * Fix MS-DFS related renaming bug in smbclient.
+    * Fix for write cache corruption bug.
+    * Fix invalid vuid from being returned by a failed call to
+      cli_session_setup_spnego.().
+    * Fixes for error mappings from NT_STATUS to the appropriate DOS
+      error codes in reply_opeNXXX() calls.
+
+
+o   Ofir Azoulay <Ofir.Azoulay at expand.com>
+    * Only look at errno set by SMB_VFS_CLOSE() if the call actually 
+      failed.
+
+
+o   Alexander Bokovoy <ab at samba.org>
+    * Fix vfs_readahead: transparent modules should always pass 
+      through.
+
+
+o   David S. Collier-Brown <davecb at spamcop.net>
+    * BUG 4897: Fix Solaris xattr misdeclarations.
+
+
+o   Guenther Deschner <gd at samba.org>
+    * Remove redundant pointer checks when freeing memory in winbindd.
+    * BUG 4408: Remove last traces of Heimdal KCM support.
+    * Fix bug in user Krb5 ticket refresh feature in winbindd.
+    * Fix Heimdal path in the krb5 renew routine.
+    * Unused code cleanup in winbindd.
+
+
+o   SATOH Fumiyasu <fumiyas at osstech.co.jp>
+    * BUG 4750: smbc_telldir_ctx() was not returning a value useful 
+      to smbc_lseekdir_ctx().
+
+
+o   Bjoern Jacke <bj at sernet.de>
+    * Add support for Extended Attributes on Solaris.
+
+
+o   Matthijs Kooijman <matthijs at stdin.nl>
+    * BUG 4836: Fix incorrect log message in the nss_info 
+      plugin init call.
+    * BUG 4849: Fix "net ads dns register" usage text.
+
+
+o   Volker Lendecke <vl at samba.org>
+    * Port cli_connect() NT_STATUS fixes to smbmount.
+    * Add notes about smbfs/cifs to usage() in smb[u]mount.
+    * BUG 4792: Fix pidfile name bug.
+    * Fix missing END_PROFILE() call in the SMBunlink reply.
+    * Coverity fixes.
+    * Correct logic error in change notify code that would result in 
+      an endless loop.
+    * Fix uninitialized reads in the spoolss GetPrinterData() replies.
+    * Fix file overwrites from Windows 9x clients.
+
+
+o   Herb Lewis <herb at samba.org>
+    * Unused code cleanup.
+    * Avoid a crash in "net rpc info" when no username has 
+      been specified.
+    * Remove biconv detection on *BSD.
+
+
+o   Derrell Lipman <derrell at samba.org>
+    * Get/Set ACL fixes in libsmbclient.
+
+
+o   Jan Martin <Jan.Martin at rwedea.com>
+    * BUG 4860: Patches for fixing MS-DFS links with trailing 
+      back slashes.
+
+
+o   Jim McDonough <jmcd at us.ibm.com>
+    * BUG 4719: "Must change password" is not set from usrmgr.exe.
+
+
+o   Atsushi Nakabayashi <nakabayashi at miraclelinux.com>
+    * Ensure proper exit when nmbd is unable to reopen the wins.tdb.
+    * Fix error path memleaks in the messaging subsystem.
+
+      --------------------------------------------------
                    ===============================
                    Release Notes for Samba 3.0.25b
                              June 20, 2007
diff --git a/source/VERSION b/source/VERSION
index dac2ecd..002f246 100644
--- a/source/VERSION
+++ b/source/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=3
 SAMBA_VERSION_MINOR=0
-SAMBA_VERSION_RELEASE=26
+SAMBA_VERSION_RELEASE=27
 
 ########################################################
 # Bug fix releases use a letter for the patch revision #
@@ -36,7 +36,7 @@ SAMBA_VERSION_RELEASE=26
 # e.g. SAMBA_VERSION_REVISION=a                        #
 #  ->  "2.2.8a"                                        #
 ########################################################
-SAMBA_VERSION_REVISION=b
+SAMBA_VERSION_REVISION=
 
 ########################################################
 # For 'pre' releases the version will be               #
diff --git a/source/lib/charcnv.c b/source/lib/charcnv.c
index 8d5fbc8..2341429 100644
--- a/source/lib/charcnv.c
+++ b/source/lib/charcnv.c
@@ -872,9 +872,9 @@ size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags)
 	size_t src_len = strlen(src);
 	pstring tmpbuf;
 
-	/* treat a pstring as "unlimited" length */
+	/* No longer allow a length of -1 */
 	if (dest_len == (size_t)-1)
-		dest_len = sizeof(pstring);
+		smb_panic("push_ascii - dest_len == -1");
 
 	if (flags & STR_UPPER) {
 		pstrcpy(tmpbuf, src);
diff --git a/source/libsmb/ntlmssp_parse.c b/source/libsmb/ntlmssp_parse.c
index e715048..38a65d3 100644
--- a/source/libsmb/ntlmssp_parse.c
+++ b/source/libsmb/ntlmssp_parse.c
@@ -152,7 +152,8 @@ BOOL msrpc_gen(DATA_BLOB *blob,
 			break;
 		case 'C':
 			s = va_arg(ap, char *);
-			head_ofs += push_string(NULL, blob->data+head_ofs, s, -1, 
+			n = str_charnum(s) + 1;
+			head_ofs += push_string(NULL, blob->data+head_ofs, s, n,
 						STR_ASCII|STR_TERMINATE);
 			break;
 		}
diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c
index 87a38b9..bbcc1ec 100644
--- a/source/nmbd/nmbd_packets.c
+++ b/source/nmbd/nmbd_packets.c
@@ -963,6 +963,12 @@ for id %hu\n", packet_type, nmb_namestr(&orig_nmb->question.question_name),
 	nmb->answers->ttl      = ttl;
   
 	if (data && len) {
+		if (len < 0 || len > sizeof(nmb->answers->rdata)) {
+			DEBUG(5,("reply_netbios_packet: "
+				"invalid packet len (%d)\n",
+				len ));
+			return;
+		}
 		nmb->answers->rdlength = len;
 		memcpy(nmb->answers->rdata, data, len);
 	}
diff --git a/source/nmbd/nmbd_processlogon.c b/source/nmbd/nmbd_processlogon.c
index 1672b03..05e82a4 100644
--- a/source/nmbd/nmbd_processlogon.c
+++ b/source/nmbd/nmbd_processlogon.c
@@ -135,7 +135,9 @@ logons are not enabled.\n", inet_ntoa(p->ip) ));
 
 				fstrcpy(reply_name, "\\\\");
 				fstrcat(reply_name, my_name);
-				push_ascii_fstring(q, reply_name);
+				push_ascii(q,reply_name,
+						sizeof(outbuf)-PTR_DIFF(q, outbuf),
+						STR_TERMINATE);
 				q = skip_string(outbuf,sizeof(outbuf),q); /* PDC name */
 
 				SSVAL(q, 0, token);
@@ -231,7 +233,9 @@ logons are not enabled.\n", inet_ntoa(p->ip) ));
 				q += 2;
 
 				fstrcpy(reply_name,my_name);
-				push_ascii_fstring(q, reply_name);
+				push_ascii(q, reply_name,
+						sizeof(outbuf)-PTR_DIFF(q, outbuf),
+						STR_TERMINATE);
 				q = skip_string(outbuf,sizeof(outbuf),q); /* PDC name */
 
 				/* PDC and domain name */
@@ -239,8 +243,15 @@ logons are not enabled.\n", inet_ntoa(p->ip) ));
 					/* Make a full reply */
 					q = ALIGN2(q, outbuf);
 
-					q += dos_PutUniCode(q, my_name, sizeof(pstring), True); /* PDC name */
-					q += dos_PutUniCode(q, lp_workgroup(),sizeof(pstring), True); /* Domain name*/
+					q += dos_PutUniCode(q, my_name,
+						sizeof(outbuf) - PTR_DIFF(q, outbuf),
+						True); /* PDC name */
+					q += dos_PutUniCode(q, lp_workgroup(),
+						sizeof(outbuf) - PTR_DIFF(q, outbuf),
+						True); /* Domain name*/
+					if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 8) {
+						return;
+					}
 					SIVAL(q, 0, 1); /* our nt version */
 					SSVAL(q, 4, 0xffff); /* our lmnttoken */
 					SSVAL(q, 6, 0xffff); /* our lm20token */
@@ -376,9 +387,15 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n",
 
 					q += 2;
 
-					q += dos_PutUniCode(q, reply_name,sizeof(pstring), True);
-					q += dos_PutUniCode(q, ascuser, sizeof(pstring), True);
-					q += dos_PutUniCode(q, lp_workgroup(),sizeof(pstring), True);
+					q += dos_PutUniCode(q, reply_name,
+						sizeof(outbuf) - PTR_DIFF(q, outbuf),
+						True);
+					q += dos_PutUniCode(q, ascuser,
+						sizeof(outbuf) - PTR_DIFF(q, outbuf),
+						True);
+					q += dos_PutUniCode(q, lp_workgroup(),
+						sizeof(outbuf) - PTR_DIFF(q, outbuf),
+						True);
 				}
 #ifdef HAVE_ADS
 				else {
@@ -394,6 +411,9 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n",
 					get_mydnsdomname(domain);
 					get_myname(hostname);
 	
+					if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 8) {
+						return;
+					}
 					if (SVAL(uniuser, 0) == 0) {
 						SIVAL(q, 0, SAMLOGON_AD_UNK_R);	/* user unknown */
 					} else {
@@ -406,6 +426,9 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n",
 					q += 4;
 
 					/* Push Domain GUID */
+					if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < UUID_FLAT_SIZE) {
+						return;
+					}
 					if (False == secrets_fetch_domain_guid(domain, &domain_guid)) {
 						DEBUG(2, ("Could not fetch DomainGUID for %s\n", domain));
 						return;
@@ -421,12 +444,20 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n",
 					q1 = q;
 					while ((component = strtok(dc, "."))) {
 						dc = NULL;
-						size = push_ascii(&q[1], component, -1, 0);
+						if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 1) {
+							return;
+						}
+						size = push_ascii(&q[1], component,
+							sizeof(outbuf) - PTR_DIFF(q+1, outbuf),
+							0);
 						SCVAL(q, 0, size);
 						q += (size + 1);
 					}
 
 					/* Unk0 */
+					if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 4) {
+						return;
+					}
 					SCVAL(q, 0, 0);
 					q++;
 
@@ -436,44 +467,72 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n",
 					q += 2;
 
 					/* Hostname */
-					size = push_ascii(&q[1], hostname, -1, 0);
+					size = push_ascii(&q[1], hostname,
+							sizeof(outbuf) - PTR_DIFF(q+1, outbuf),
+							0);
 					SCVAL(q, 0, size);
 					q += (size + 1);
+
+					if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 3) {
+						return;
+					}
+
 					SCVAL(q, 0, 0xc0 | ((str_offset >> 8) & 0x3F));
 					SCVAL(q, 1, str_offset & 0xFF);
 					q += 2;
 
 					/* NETBIOS of domain */
-					size = push_ascii(&q[1], lp_workgroup(), -1, STR_UPPER);
+					size = push_ascii(&q[1], lp_workgroup(),
+							sizeof(outbuf) - PTR_DIFF(q+1, outbuf),
+							STR_UPPER);
 					SCVAL(q, 0, size);
 					q += (size + 1);
 
 					/* Unk1 */
+					if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 2) {
+						return;
+					}
 					SCVAL(q, 0, 0);
 					q++;
 
 					/* NETBIOS of hostname */
-					size = push_ascii(&q[1], my_name, -1, 0);
+					size = push_ascii(&q[1], my_name,
+							sizeof(outbuf) - PTR_DIFF(q+1, outbuf),
+							0);
 					SCVAL(q, 0, size);
 					q += (size + 1);
 
 					/* Unk2 */
+					if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 4) {
+						return;
+					}
 					SCVAL(q, 0, 0);
 					q++;
 
 					/* User name */
 					if (SVAL(uniuser, 0) != 0) {
-						size = push_ascii(&q[1], ascuser, -1, 0);
+						size = push_ascii(&q[1], ascuser,


-- 
Samba Shared Repository


More information about the samba-cvs mailing list