[SCM] Samba Shared Repository - branch v3-0-test updated -
release-3-0-32-77-gc419f12
Karolin Seeger
kseeger at samba.org
Thu Nov 27 13:58:10 GMT 2008
The branch, v3-0-test has been updated
via c419f129bef588f90e0a7c165dcdf8990b1bb600 (commit)
via a0d850515796328d92ca42032c765afce477e039 (commit)
from 26e82e3e006a80c9d4d1cb437eb39b02efa7c3ad (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-test
- Log -----------------------------------------------------------------
commit c419f129bef588f90e0a7c165dcdf8990b1bb600
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Nov 18 16:33:23 2008 +0100
WHATSNEW: Update WHATSNEW for 3.0.33.
Karolin
commit a0d850515796328d92ca42032c765afce477e039
Author: Volker Lendecke <vl at samba.org>
Date: Sat Nov 8 17:14:06 2008 +0100
Fix the offset checks in the trans routines
This fixes a potential crash bug, a client can make us read memory we
should not read. Luckily I got the disp checks right...
Volker
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 41 ++++++++++++++++++++++++++++++++++-------
source/smbd/ipc.c | 8 ++++----
source/smbd/nttrans.c | 6 +++---
source/smbd/trans2.c | 6 +++---
4 files changed, 44 insertions(+), 17 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index acc9b41..dc38db8 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,37 @@
+ ==============================
+ Release Notes for Samba 3.0.33
+ November, 27 2008
+ ==============================
+
+
+This is a security release in order to address CVE-2008-4314 ("Potential leak of
+arbitrary memory contents").
+
+ o CVE-2008-4314
+ Samba 3.0.29 to 3.2.4 can potentially leak
+ arbitrary memory contents to malicious
+ clients.
+
+The original security announcement for this and past advisories can
+be found http://www.samba.org/samba/security/
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.32
+--------------------
+
+
+o Volker Lendecke <vl at samba.org>
+ * Fix for CVE-2008-4314.
+
+
+
+
+Release notes for older releases follow:
+
+ --------------------------------------------------
===============================
Release Notes for Samba 3.0.32
Aug 25, 2008
@@ -61,10 +95,6 @@ o Christoph Zauner <christoph.zauner at sernet.de>
* Corrections to various man pages.
-
-
-Release notes for older releases follow:
-
--------------------------------------------------
===============================
Release Notes for Samba 3.0.31
@@ -547,9 +577,6 @@ o Bo Yang <boyang at novell.com>
-Release notes for older releases follow:
-
- --------------------------------------------------
==============================
Release Notes for Samba 3.0.28
diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c
index f7b7c31..43f0d69 100644
--- a/source/smbd/ipc.c
+++ b/source/smbd/ipc.c
@@ -680,13 +680,13 @@ int reply_transs(connection_struct *conn, char *inbuf,char *outbuf,
dcnt > state->total_data ||
ddisp+dcnt > state->total_data ||
ddisp+dcnt < ddisp) {
- goto bad_param;
+ goto bad_param;
}
- if (ddisp > av_size ||
+ if (doff > av_size ||
dcnt > av_size ||
- ddisp+dcnt > av_size ||
- ddisp+dcnt < ddisp) {
+ doff+dcnt > av_size ||
+ doff+dcnt < doff) {
goto bad_param;
}
diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c
index b40ea9e..2b9d5da 100644
--- a/source/smbd/nttrans.c
+++ b/source/smbd/nttrans.c
@@ -3228,10 +3228,10 @@ int reply_nttranss(connection_struct *conn, char *inbuf,char *outbuf,
goto bad_param;
}
- if (ddisp > av_size ||
+ if (doff > av_size ||
dcnt > av_size ||
- ddisp+dcnt > av_size ||
- ddisp+dcnt < ddisp) {
+ doff+dcnt > av_size ||
+ doff+dcnt < doff) {
goto bad_param;
}
diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c
index 30c84bf..9daef90 100644
--- a/source/smbd/trans2.c
+++ b/source/smbd/trans2.c
@@ -6822,10 +6822,10 @@ int reply_transs2(connection_struct *conn,
goto bad_param;
}
- if (ddisp > av_size ||
+ if (doff > av_size ||
dcnt > av_size ||
- ddisp+dcnt > av_size ||
- ddisp+dcnt < ddisp) {
+ doff+dcnt > av_size ||
+ doff+dcnt < doff) {
goto bad_param;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list