[SCM] Samba Shared Repository - branch v3-3-test updated
Karolin Seeger
kseeger at samba.org
Wed Sep 15 13:00:37 MDT 2010
The branch, v3-3-test has been updated
via fdfe958 WHATSNEW: Update release date.
via 0c8ba57 Fix bug #7669.
via 237fc6b WHATSNEW: Prepare 3.3.14 release notes.
via 54c2f90 VERSION: Raise version number up to 3.3.14.
via 37e9aeb WHATSNEW: Prepare release notes for 3.3.13.
via 5848a4d VERSION: Raise version number up to 3.3.13.
via dde8f9b s3-smbd: Fix memory corruption vulnerability.
from d3831a5 Revert "Fix bug #7067 - Linux asynchronous IO (aio) can cause smbd to fail to respond to a read or write."
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test
- Log -----------------------------------------------------------------
commit fdfe958a20c2f017413cc54fdddee3f723494b4f
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Sep 9 16:23:49 2010 +0200
WHATSNEW: Update release date.
Karolin
(cherry picked from commit cdb6f49d577fa5b24d294a50780604c89912c012)
commit 0c8ba5758a9c6f720260bd3bcbbb013936baa367
Author: Jeremy Allison <jra at samba.org>
Date: Thu Sep 9 15:43:07 2010 +0200
Fix bug #7669.
Fix bug #7669 (buffer overflow in sid_parse() in Samba3 and dom_sid_parse in
Samba4).
CVE-2010-3069:
===========
Description
===========
All current released versions of Samba are vulnerable to
a buffer overrun vulnerability. The sid_parse() function
(and related dom_sid_parse() function in the source4 code)
do not correctly check their input lengths when reading a
binary representation of a Windows SID (Security ID). This
allows a malicious client to send a sid that can overflow
the stack variable that is being used to store the SID in the
Samba smbd server.
A connection to a file share is needed to exploit this
vulnerability, either authenticated or unauthenticated
(guest connection).
(cherry picked from commit df1c76e2275068d1006e82a4a21d42b58175268b)
commit 237fc6b80f4b281451e1c949018d92790f817f1f
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Sep 9 15:41:40 2010 +0200
WHATSNEW: Prepare 3.3.14 release notes.
Karolin
(cherry picked from commit da9325d02038b5e65873593dece510fa09851772)
commit 54c2f902846ff3a8e481a708b77c7da548c533ef
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Sep 9 15:31:18 2010 +0200
VERSION: Raise version number up to 3.3.14.
Karolin
(cherry picked from commit 293a8676ee72a635096ff1a1b167ecf6fa525276)
commit 37e9aebde9f9d23e71156df94bb2bd26ffaafd28
Author: Karolin Seeger <kseeger at samba.org>
Date: Fri Jun 11 13:22:12 2010 +0200
WHATSNEW: Prepare release notes for 3.3.13.
Karolin
(cherry picked from commit d07d8701d9a49609d0291b599816a0670d29a9f3)
commit 5848a4d6df72049133ec0547a798ca60c15340b7
Author: Karolin Seeger <kseeger at samba.org>
Date: Fri Jun 11 12:58:07 2010 +0200
VERSION: Raise version number up to 3.3.13.
Karolin
(cherry picked from commit 9aa30a0bbd5eaf99fec9f6b51f859bf751e155ff)
commit dde8f9b3ba827b6dec8b6ef4faa4e7a431b038f0
Author: Jeremy Allison <jra at samba.org>
Date: Fri Jun 11 12:57:25 2010 +0200
s3-smbd: Fix memory corruption vulnerability.
Fix bug #7494 (Buffer overrun possible in chain_reply code in 3.3.x and below.)
and address CVE-2010-2063.
(cherry picked from commit 86ab436a0da958914f99dc8b7e88b10db4692d98)
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 107 ++++++++++++++++++++++++++++++++++++++++++++--
source/VERSION | 2 +-
source/lib/util_sid.c | 3 +
source/libads/ldap.c | 4 +-
source/libsmb/cliquota.c | 4 +-
source/smbd/nttrans.c | 17 ++++++-
source/smbd/process.c | 12 +++++
7 files changed, 139 insertions(+), 10 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 90a1960..a5026cd 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,103 @@
==============================
+ Release Notes for Samba 3.3.14
+ September 14, 2010
+ ==============================
+
+
+This is a security release in order to address CVE-2010-3069.
+
+
+o CVE-2010-3069:
+ All current released versions of Samba are vulnerable to
+ a buffer overrun vulnerability. The sid_parse() function
+ (and related dom_sid_parse() function in the source4 code)
+ do not correctly check their input lengths when reading a
+ binary representation of a Windows SID (Security ID). This
+ allows a malicious client to send a sid that can overflow
+ the stack variable that is being used to store the SID in the
+ Samba smbd server.
+
+
+Changes since 3.3.13
+--------------------
+
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 7669: Fix for CVE-2010-3069.
+
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 7669: Fix for CVE-2010-3069.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.3 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ ==============================
+ Release Notes for Samba 3.3.13
+ June 16, 2010
+ ==============================
+
+
+This is a security release in order to address CVE-2010-2063.
+
+
+o CVE-2010-2063:
+ In Samba 3.3.x and below, a buffer overrun is possible in chain_reply code.
+
+
+Changes since 3.3.12
+--------------------
+
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 7494: Fix for CVE-2010-2063.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.3 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+
+
+ ==============================
Release Notes for Samba 3.3.12
March 8, 2010
==============================
@@ -17,8 +116,8 @@ o CVE-2010-0728:
even when permissions should have denied access.
-Changes since 3.5.0
--------------------
+Changes since 3.3.11
+--------------------
o Jeremy Allison <jra at samba.org>
@@ -45,8 +144,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
==============================
Release Notes for Samba 3.3.11
diff --git a/source/VERSION b/source/VERSION
index d637568..d1d3249 100644
--- a/source/VERSION
+++ b/source/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=3
SAMBA_VERSION_MINOR=3
-SAMBA_VERSION_RELEASE=12
+SAMBA_VERSION_RELEASE=14
########################################################
# Bug fix releases use a letter for the patch revision #
diff --git a/source/lib/util_sid.c b/source/lib/util_sid.c
index f656bb1..aa49b86 100644
--- a/source/lib/util_sid.c
+++ b/source/lib/util_sid.c
@@ -408,6 +408,9 @@ bool sid_parse(const char *inbuf, size_t len, DOM_SID *sid)
sid->sid_rev_num = CVAL(inbuf, 0);
sid->num_auths = CVAL(inbuf, 1);
+ if (sid->num_auths > MAXSUBAUTHS) {
+ return false;
+ }
memcpy(sid->id_auth, inbuf+2, 6);
if (len < 8 + sid->num_auths*4)
return False;
diff --git a/source/libads/ldap.c b/source/libads/ldap.c
index d9598e5..f426996 100644
--- a/source/libads/ldap.c
+++ b/source/libads/ldap.c
@@ -2139,7 +2139,9 @@ static void dump_sid(ADS_STRUCT *ads, const char *field, struct berval **values)
for (i=0; values[i]; i++) {
DOM_SID sid;
fstring tmp;
- sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
+ if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) {
+ continue;
+ }
printf("%s: %s\n", field, sid_to_fstring(tmp, &sid));
}
}
diff --git a/source/libsmb/cliquota.c b/source/libsmb/cliquota.c
index dcdfec2..47739f0 100644
--- a/source/libsmb/cliquota.c
+++ b/source/libsmb/cliquota.c
@@ -117,7 +117,9 @@ static bool parse_user_quota_record(const char *rdata, unsigned int rdata_count,
}
#endif /* LARGE_SMB_OFF_T */
- sid_parse(rdata+40,sid_len,&qt.sid);
+ if (!sid_parse(rdata+40,sid_len,&qt.sid)) {
+ return false;
+ }
qt.qtype = SMB_USER_QUOTA_TYPE;
diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c
index c392380..b610b1f 100644
--- a/source/smbd/nttrans.c
+++ b/source/smbd/nttrans.c
@@ -1950,7 +1950,11 @@ static void call_nt_transact_ioctl(connection_struct *conn,
/* unknown 4 bytes: this is not the length of the sid :-( */
/*unknown = IVAL(pdata,0);*/
- sid_parse(pdata+4,sid_len,&sid);
+ if (!sid_parse(pdata+4,sid_len,&sid)) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
+
DEBUGADD(10, ("for SID: %s\n", sid_string_dbg(&sid)));
if (!sid_to_uid(&sid, &uid)) {
@@ -2206,7 +2210,10 @@ static void call_nt_transact_get_user_quota(connection_struct *conn,
break;
}
- sid_parse(pdata+8,sid_len,&sid);
+ if (!sid_parse(pdata+8,sid_len,&sid)) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
ZERO_STRUCT(qt);
@@ -2387,7 +2394,11 @@ static void call_nt_transact_set_user_quota(connection_struct *conn,
}
#endif /* LARGE_SMB_OFF_T */
- sid_parse(pdata+40,sid_len,&sid);
+ if (!sid_parse(pdata+40,sid_len,&sid)) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
+
DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid)));
/* 44 unknown bytes left... */
diff --git a/source/smbd/process.c b/source/smbd/process.c
index 446b868..403c7c6 100644
--- a/source/smbd/process.c
+++ b/source/smbd/process.c
@@ -1645,6 +1645,7 @@ void construct_reply_common(const char *inbuf, char *outbuf)
void chain_reply(struct smb_request *req)
{
static char *orig_inbuf;
+ static int orig_size;
/*
* Dirty little const_discard: We mess with req->inbuf, which is
@@ -1679,13 +1680,24 @@ void chain_reply(struct smb_request *req)
if (chain_size == 0) {
/* this is the first part of the chain */
orig_inbuf = inbuf;
+ orig_size = size;
}
+ /* Validate smb_off2 */
+ if ((smb_off2 < smb_wct - 4) || orig_size < (smb_off2 + 4 - smb_wct)) {
+ exit_server_cleanly("Bad chained packet");
+ return;
+ }
/*
* We need to save the output the caller added to the chain so that we
* can splice it into the final output buffer later.
*/
+ if (outsize <= smb_wct) {
+ exit_server_cleanly("Bad chained packet");
+ return;
+ }
+
caller_outputlen = outsize - smb_wct;
caller_output = (char *)memdup(outbuf + smb_wct, caller_outputlen);
--
Samba Shared Repository
More information about the samba-cvs
mailing list