[SCM] Samba Shared Repository - branch v3-3-stable updated
Karolin Seeger
kseeger at samba.org
Wed Jun 16 03:49:54 MDT 2010
The branch, v3-3-stable has been updated
via d07d870... WHATSNEW: Prepare release notes for 3.3.13.
via 9aa30a0... VERSION: Raise version number up to 3.3.13.
via 86ab436... s3-smbd: Fix memory corruption vulnerability.
from 007f9c9... Revert "Fix bug #7067 - Linux asynchronous IO (aio) can cause smbd to fail to respond to a read or write."
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-stable
- Log -----------------------------------------------------------------
commit d07d8701d9a49609d0291b599816a0670d29a9f3
Author: Karolin Seeger <kseeger at samba.org>
Date: Fri Jun 11 13:22:12 2010 +0200
WHATSNEW: Prepare release notes for 3.3.13.
Karolin
commit 9aa30a0bbd5eaf99fec9f6b51f859bf751e155ff
Author: Karolin Seeger <kseeger at samba.org>
Date: Fri Jun 11 12:58:07 2010 +0200
VERSION: Raise version number up to 3.3.13.
Karolin
commit 86ab436a0da958914f99dc8b7e88b10db4692d98
Author: Jeremy Allison <jra at samba.org>
Date: Fri Jun 11 12:57:25 2010 +0200
s3-smbd: Fix memory corruption vulnerability.
Fix bug #7494 (Buffer overrun possible in chain_reply code in 3.3.x and below.)
and address CVE-2010-2063.
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 52 +++++++++++++++++++++++++++++++++++++++++++++---
source/VERSION | 2 +-
source/smbd/process.c | 12 +++++++++++
3 files changed, 61 insertions(+), 5 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 90a1960..c63fd1f 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,48 @@
==============================
+ Release Notes for Samba 3.3.13
+ June 16, 2010
+ ==============================
+
+
+This is a security release in order to address CVE-2010-2063.
+
+
+o CVE-2010-2063:
+ In Samba 3.3.x and below, a buffer overrun is possible in chain_reply code.
+
+
+Changes since 3.3.12
+--------------------
+
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 7494: Fix for CVE-2010-2063.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.3 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ ==============================
Release Notes for Samba 3.3.12
March 8, 2010
==============================
@@ -17,8 +61,8 @@ o CVE-2010-0728:
even when permissions should have denied access.
-Changes since 3.5.0
--------------------
+Changes since 3.3.11
+--------------------
o Jeremy Allison <jra at samba.org>
@@ -45,8 +89,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
==============================
Release Notes for Samba 3.3.11
diff --git a/source/VERSION b/source/VERSION
index 01fc3b8..a6430a6 100644
--- a/source/VERSION
+++ b/source/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=3
SAMBA_VERSION_MINOR=3
-SAMBA_VERSION_RELEASE=12
+SAMBA_VERSION_RELEASE=13
########################################################
# Bug fix releases use a letter for the patch revision #
diff --git a/source/smbd/process.c b/source/smbd/process.c
index 446b868..403c7c6 100644
--- a/source/smbd/process.c
+++ b/source/smbd/process.c
@@ -1645,6 +1645,7 @@ void construct_reply_common(const char *inbuf, char *outbuf)
void chain_reply(struct smb_request *req)
{
static char *orig_inbuf;
+ static int orig_size;
/*
* Dirty little const_discard: We mess with req->inbuf, which is
@@ -1679,13 +1680,24 @@ void chain_reply(struct smb_request *req)
if (chain_size == 0) {
/* this is the first part of the chain */
orig_inbuf = inbuf;
+ orig_size = size;
}
+ /* Validate smb_off2 */
+ if ((smb_off2 < smb_wct - 4) || orig_size < (smb_off2 + 4 - smb_wct)) {
+ exit_server_cleanly("Bad chained packet");
+ return;
+ }
/*
* We need to save the output the caller added to the chain so that we
* can splice it into the final output buffer later.
*/
+ if (outsize <= smb_wct) {
+ exit_server_cleanly("Bad chained packet");
+ return;
+ }
+
caller_outputlen = outsize - smb_wct;
caller_output = (char *)memdup(outbuf + smb_wct, caller_outputlen);
--
Samba Shared Repository
More information about the samba-cvs
mailing list