[SCM] Samba Shared Repository - branch v3-3-stable updated

Karolin Seeger kseeger at samba.org
Wed Jun 16 03:49:54 MDT 2010


The branch, v3-3-stable has been updated
       via  d07d870... WHATSNEW: Prepare release notes for 3.3.13.
       via  9aa30a0... VERSION: Raise version number up to 3.3.13.
       via  86ab436... s3-smbd: Fix memory corruption vulnerability.
      from  007f9c9... Revert "Fix bug #7067 - Linux asynchronous IO (aio) can cause smbd to fail to respond to a read or write."

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-stable


- Log -----------------------------------------------------------------
commit d07d8701d9a49609d0291b599816a0670d29a9f3
Author: Karolin Seeger <kseeger at samba.org>
Date:   Fri Jun 11 13:22:12 2010 +0200

    WHATSNEW: Prepare release notes for 3.3.13.
    
    Karolin

commit 9aa30a0bbd5eaf99fec9f6b51f859bf751e155ff
Author: Karolin Seeger <kseeger at samba.org>
Date:   Fri Jun 11 12:58:07 2010 +0200

    VERSION: Raise version number up to 3.3.13.
    
    Karolin

commit 86ab436a0da958914f99dc8b7e88b10db4692d98
Author: Jeremy Allison <jra at samba.org>
Date:   Fri Jun 11 12:57:25 2010 +0200

    s3-smbd: Fix memory corruption vulnerability.
    
    Fix bug #7494 (Buffer overrun possible in chain_reply code in 3.3.x and below.)
    and address CVE-2010-2063.

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt          |   52 +++++++++++++++++++++++++++++++++++++++++++++---
 source/VERSION        |    2 +-
 source/smbd/process.c |   12 +++++++++++
 3 files changed, 61 insertions(+), 5 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 90a1960..c63fd1f 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,48 @@
                    ==============================
+                   Release Notes for Samba 3.3.13
+		            June 16, 2010
+                   ==============================
+
+
+This is a security release in order to address CVE-2010-2063.
+
+
+o  CVE-2010-2063:
+   In Samba 3.3.x and below, a buffer overrun is possible in chain_reply code.
+
+
+Changes since 3.3.12
+--------------------
+
+
+o   Jeremy Allison <jra at samba.org>
+    * BUG 7494: Fix for CVE-2010-2063.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 3.3 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+                   ==============================
                    Release Notes for Samba 3.3.12
 		            March 8, 2010
                    ==============================
@@ -17,8 +61,8 @@ o  CVE-2010-0728:
    even when permissions should have denied access.
 
 
-Changes since 3.5.0
--------------------
+Changes since 3.3.11
+--------------------
 
 
 o   Jeremy Allison <jra at samba.org>
@@ -45,8 +89,8 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
 
                    ==============================
                    Release Notes for Samba 3.3.11
diff --git a/source/VERSION b/source/VERSION
index 01fc3b8..a6430a6 100644
--- a/source/VERSION
+++ b/source/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=3
 SAMBA_VERSION_MINOR=3
-SAMBA_VERSION_RELEASE=12
+SAMBA_VERSION_RELEASE=13
 
 ########################################################
 # Bug fix releases use a letter for the patch revision #
diff --git a/source/smbd/process.c b/source/smbd/process.c
index 446b868..403c7c6 100644
--- a/source/smbd/process.c
+++ b/source/smbd/process.c
@@ -1645,6 +1645,7 @@ void construct_reply_common(const char *inbuf, char *outbuf)
 void chain_reply(struct smb_request *req)
 {
 	static char *orig_inbuf;
+	static int orig_size;
 
 	/*
 	 * Dirty little const_discard: We mess with req->inbuf, which is
@@ -1679,13 +1680,24 @@ void chain_reply(struct smb_request *req)
 	if (chain_size == 0) {
 		/* this is the first part of the chain */
 		orig_inbuf = inbuf;
+		orig_size = size;
 	}
 
+	/* Validate smb_off2 */
+	if ((smb_off2 < smb_wct - 4) || orig_size < (smb_off2 + 4 - smb_wct)) {
+		exit_server_cleanly("Bad chained packet");
+		return;
+	}
 	/*
 	 * We need to save the output the caller added to the chain so that we
 	 * can splice it into the final output buffer later.
 	 */
 
+	if (outsize <= smb_wct) {
+		exit_server_cleanly("Bad chained packet");
+		return;
+	}
+
 	caller_outputlen = outsize - smb_wct;
 
 	caller_output = (char *)memdup(outbuf + smb_wct, caller_outputlen);


-- 
Samba Shared Repository


More information about the samba-cvs mailing list