[SCM] Samba Shared Repository - branch v3-3-test updated

Karolin Seeger kseeger at samba.org
Wed Sep 15 13:00:37 MDT 2010


The branch, v3-3-test has been updated
       via  fdfe958 WHATSNEW: Update release date.
       via  0c8ba57 Fix bug #7669.
       via  237fc6b WHATSNEW: Prepare 3.3.14 release notes.
       via  54c2f90 VERSION: Raise version number up to 3.3.14.
       via  37e9aeb WHATSNEW: Prepare release notes for 3.3.13.
       via  5848a4d VERSION: Raise version number up to 3.3.13.
       via  dde8f9b s3-smbd: Fix memory corruption vulnerability.
      from  d3831a5 Revert "Fix bug #7067 - Linux asynchronous IO (aio) can cause smbd to fail to respond to a read or write."

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test


- Log -----------------------------------------------------------------
commit fdfe958a20c2f017413cc54fdddee3f723494b4f
Author: Karolin Seeger <kseeger at samba.org>
Date:   Thu Sep 9 16:23:49 2010 +0200

    WHATSNEW: Update release date.
    
    Karolin
    (cherry picked from commit cdb6f49d577fa5b24d294a50780604c89912c012)

commit 0c8ba5758a9c6f720260bd3bcbbb013936baa367
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Sep 9 15:43:07 2010 +0200

    Fix bug #7669.
    
    Fix bug #7669 (buffer overflow in sid_parse() in Samba3 and dom_sid_parse in
    Samba4).
    
    CVE-2010-3069:
    
    ===========
    Description
    ===========
    
    All current released versions of Samba are vulnerable to
    a buffer overrun vulnerability. The sid_parse() function
    (and related dom_sid_parse() function in the source4 code)
    do not correctly check their input lengths when reading a
    binary representation of a Windows SID (Security ID). This
    allows a malicious client to send a sid that can overflow
    the stack variable that is being used to store the SID in the
    Samba smbd server.
    
    A connection to a file share is needed to exploit this
    vulnerability, either authenticated or unauthenticated
    (guest connection).
    (cherry picked from commit df1c76e2275068d1006e82a4a21d42b58175268b)

commit 237fc6b80f4b281451e1c949018d92790f817f1f
Author: Karolin Seeger <kseeger at samba.org>
Date:   Thu Sep 9 15:41:40 2010 +0200

    WHATSNEW: Prepare 3.3.14 release notes.
    
    Karolin
    (cherry picked from commit da9325d02038b5e65873593dece510fa09851772)

commit 54c2f902846ff3a8e481a708b77c7da548c533ef
Author: Karolin Seeger <kseeger at samba.org>
Date:   Thu Sep 9 15:31:18 2010 +0200

    VERSION: Raise version number up to 3.3.14.
    
    Karolin
    (cherry picked from commit 293a8676ee72a635096ff1a1b167ecf6fa525276)

commit 37e9aebde9f9d23e71156df94bb2bd26ffaafd28
Author: Karolin Seeger <kseeger at samba.org>
Date:   Fri Jun 11 13:22:12 2010 +0200

    WHATSNEW: Prepare release notes for 3.3.13.
    
    Karolin
    (cherry picked from commit d07d8701d9a49609d0291b599816a0670d29a9f3)

commit 5848a4d6df72049133ec0547a798ca60c15340b7
Author: Karolin Seeger <kseeger at samba.org>
Date:   Fri Jun 11 12:58:07 2010 +0200

    VERSION: Raise version number up to 3.3.13.
    
    Karolin
    (cherry picked from commit 9aa30a0bbd5eaf99fec9f6b51f859bf751e155ff)

commit dde8f9b3ba827b6dec8b6ef4faa4e7a431b038f0
Author: Jeremy Allison <jra at samba.org>
Date:   Fri Jun 11 12:57:25 2010 +0200

    s3-smbd: Fix memory corruption vulnerability.
    
    Fix bug #7494 (Buffer overrun possible in chain_reply code in 3.3.x and below.)
    and address CVE-2010-2063.
    (cherry picked from commit 86ab436a0da958914f99dc8b7e88b10db4692d98)

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt             |  107 ++++++++++++++++++++++++++++++++++++++++++++--
 source/VERSION           |    2 +-
 source/lib/util_sid.c    |    3 +
 source/libads/ldap.c     |    4 +-
 source/libsmb/cliquota.c |    4 +-
 source/smbd/nttrans.c    |   17 ++++++-
 source/smbd/process.c    |   12 +++++
 7 files changed, 139 insertions(+), 10 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 90a1960..a5026cd 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,103 @@
                    ==============================
+                   Release Notes for Samba 3.3.14
+		         September 14, 2010
+                   ==============================
+
+
+This is a security release in order to address CVE-2010-3069.
+
+
+o  CVE-2010-3069:
+   All current released versions of Samba are vulnerable to
+   a buffer overrun vulnerability. The sid_parse() function
+   (and related dom_sid_parse() function in the source4 code)
+   do not correctly check their input lengths when reading a
+   binary representation of a Windows SID (Security ID). This
+   allows a malicious client to send a sid that can overflow
+   the stack variable that is being used to store the SID in the
+   Samba smbd server.
+
+
+Changes since 3.3.13
+--------------------
+
+
+o   Jeremy Allison <jra at samba.org>
+    * BUG 7669: Fix for CVE-2010-3069.
+
+
+o   Andrew Bartlett <abartlet at samba.org>
+    * BUG 7669: Fix for CVE-2010-3069.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 3.3 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+                   ==============================
+                   Release Notes for Samba 3.3.13
+		            June 16, 2010
+                   ==============================
+
+
+This is a security release in order to address CVE-2010-2063.
+
+
+o  CVE-2010-2063:
+   In Samba 3.3.x and below, a buffer overrun is possible in chain_reply code.
+
+
+Changes since 3.3.12
+--------------------
+
+
+o   Jeremy Allison <jra at samba.org>
+    * BUG 7494: Fix for CVE-2010-2063.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 3.3 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+
+
+                   ==============================
                    Release Notes for Samba 3.3.12
 		            March 8, 2010
                    ==============================
@@ -17,8 +116,8 @@ o  CVE-2010-0728:
    even when permissions should have denied access.
 
 
-Changes since 3.5.0
--------------------
+Changes since 3.3.11
+--------------------
 
 
 o   Jeremy Allison <jra at samba.org>
@@ -45,8 +144,8 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
 
                    ==============================
                    Release Notes for Samba 3.3.11
diff --git a/source/VERSION b/source/VERSION
index d637568..d1d3249 100644
--- a/source/VERSION
+++ b/source/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=3
 SAMBA_VERSION_MINOR=3
-SAMBA_VERSION_RELEASE=12
+SAMBA_VERSION_RELEASE=14
 
 ########################################################
 # Bug fix releases use a letter for the patch revision #
diff --git a/source/lib/util_sid.c b/source/lib/util_sid.c
index f656bb1..aa49b86 100644
--- a/source/lib/util_sid.c
+++ b/source/lib/util_sid.c
@@ -408,6 +408,9 @@ bool sid_parse(const char *inbuf, size_t len, DOM_SID *sid)
 
 	sid->sid_rev_num = CVAL(inbuf, 0);
 	sid->num_auths = CVAL(inbuf, 1);
+	if (sid->num_auths > MAXSUBAUTHS) {
+		return false;
+	}
 	memcpy(sid->id_auth, inbuf+2, 6);
 	if (len < 8 + sid->num_auths*4)
 		return False;
diff --git a/source/libads/ldap.c b/source/libads/ldap.c
index d9598e5..f426996 100644
--- a/source/libads/ldap.c
+++ b/source/libads/ldap.c
@@ -2139,7 +2139,9 @@ static void dump_sid(ADS_STRUCT *ads, const char *field, struct berval **values)
 	for (i=0; values[i]; i++) {
 		DOM_SID sid;
 		fstring tmp;
-		sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
+		if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) {
+			continue;
+		}
 		printf("%s: %s\n", field, sid_to_fstring(tmp, &sid));
 	}
 }
diff --git a/source/libsmb/cliquota.c b/source/libsmb/cliquota.c
index dcdfec2..47739f0 100644
--- a/source/libsmb/cliquota.c
+++ b/source/libsmb/cliquota.c
@@ -117,7 +117,9 @@ static bool parse_user_quota_record(const char *rdata, unsigned int rdata_count,
 	}
 #endif /* LARGE_SMB_OFF_T */
 
-	sid_parse(rdata+40,sid_len,&qt.sid);
+	if (!sid_parse(rdata+40,sid_len,&qt.sid)) {
+		return false;
+	}
 
 	qt.qtype = SMB_USER_QUOTA_TYPE;
 
diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c
index c392380..b610b1f 100644
--- a/source/smbd/nttrans.c
+++ b/source/smbd/nttrans.c
@@ -1950,7 +1950,11 @@ static void call_nt_transact_ioctl(connection_struct *conn,
 		/* unknown 4 bytes: this is not the length of the sid :-(  */
 		/*unknown = IVAL(pdata,0);*/
 
-		sid_parse(pdata+4,sid_len,&sid);
+		if (!sid_parse(pdata+4,sid_len,&sid)) {
+			reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+			return;
+		}
+
 		DEBUGADD(10, ("for SID: %s\n", sid_string_dbg(&sid)));
 
 		if (!sid_to_uid(&sid, &uid)) {
@@ -2206,7 +2210,10 @@ static void call_nt_transact_get_user_quota(connection_struct *conn,
 				break;
 			}
 
-			sid_parse(pdata+8,sid_len,&sid);
+			if (!sid_parse(pdata+8,sid_len,&sid)) {
+				reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+				return;
+			}
 
 			if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
 				ZERO_STRUCT(qt);
@@ -2387,7 +2394,11 @@ static void call_nt_transact_set_user_quota(connection_struct *conn,
 	}
 #endif /* LARGE_SMB_OFF_T */
 
-	sid_parse(pdata+40,sid_len,&sid);
+	if (!sid_parse(pdata+40,sid_len,&sid)) {
+		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+		return;
+	}
+
 	DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid)));
 
 	/* 44 unknown bytes left... */
diff --git a/source/smbd/process.c b/source/smbd/process.c
index 446b868..403c7c6 100644
--- a/source/smbd/process.c
+++ b/source/smbd/process.c
@@ -1645,6 +1645,7 @@ void construct_reply_common(const char *inbuf, char *outbuf)
 void chain_reply(struct smb_request *req)
 {
 	static char *orig_inbuf;
+	static int orig_size;
 
 	/*
 	 * Dirty little const_discard: We mess with req->inbuf, which is
@@ -1679,13 +1680,24 @@ void chain_reply(struct smb_request *req)
 	if (chain_size == 0) {
 		/* this is the first part of the chain */
 		orig_inbuf = inbuf;
+		orig_size = size;
 	}
 
+	/* Validate smb_off2 */
+	if ((smb_off2 < smb_wct - 4) || orig_size < (smb_off2 + 4 - smb_wct)) {
+		exit_server_cleanly("Bad chained packet");
+		return;
+	}
 	/*
 	 * We need to save the output the caller added to the chain so that we
 	 * can splice it into the final output buffer later.
 	 */
 
+	if (outsize <= smb_wct) {
+		exit_server_cleanly("Bad chained packet");
+		return;
+	}
+
 	caller_outputlen = outsize - smb_wct;
 
 	caller_output = (char *)memdup(outbuf + smb_wct, caller_outputlen);


-- 
Samba Shared Repository


More information about the samba-cvs mailing list