[SCM] Samba Shared Repository - branch v3-6-test updated
Karolin Seeger
kseeger at samba.org
Tue Apr 10 12:23:12 MDT 2012
The branch, v3-6-test has been updated
via 69cfa24 WHATSNEW: Start release notes for Samba 3.6.5.
via c8cc3d5 VERSION: Bump version up to 3.6.5.
via 7330bdb pidl/NDR/Parser: also do range checks on the array size
via 7c3e90c pidl/NDR/Parser: do array range validation in ParseArrayPullGetLength()
via df3a069 pidl/NDR/Parser: use helper variables for array size and length
via e24594d pidl/NDR/Parser: remember if we already know the array length
via 918b165 pidl/NDR/Parser: use ParseArrayPullGetLength() to get the number of array elements (bug #8815 / CVE-2012-1182)
via ab1e69d pidl/NDR/Parser: split off ParseArrayPullGetSize() and ParseArrayPullGetLength()
via 2041a4e pidl/NDR/Parser: simplify logic in DeclareArrayVariables*()
via d4df4ac pidl/NDR/Parser: declare all union helper variables in ParseUnionPull()
via d2e3c05 WHATSNEW: Prepare release notes for 3.6.4.
from 8852ad6 s3-winbindd Only use SamLogonEx when we can get unencrypted session keys
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test
- Log -----------------------------------------------------------------
commit 69cfa24a1647884755002e3e938ea441ba76aaf2
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Apr 10 20:16:29 2012 +0200
WHATSNEW: Start release notes for Samba 3.6.5.
Karolin
(cherry picked from commit 7a2f5309d8e064e5fea66c1e723b6a0d00fbe0b1)
commit c8cc3d5b7457fd0fa48eebb9ea83e66a8dc55a5a
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Apr 10 20:13:53 2012 +0200
VERSION: Bump version up to 3.6.5.
Karolin
(cherry picked from commit bbf24474560195f3a6d41991836d568092c0340e)
commit 7330bdbbd62a0fc69d6d193bb3f3294013e62f01
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 15 17:03:05 2012 +0100
pidl/NDR/Parser: also do range checks on the array size
metze
The last 8 patches address bug #8815 (PIDL based autogenerated code allows
overwriting beyond of allocated array; CVE-2012-1182).
(cherry picked from commit 0b9d59d256a74594e89467e5ebe4e62c25c9572e)
commit 7c3e90c07a77e66947e89dbbdec3fb9d3178a75b
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 15 13:14:48 2012 +0100
pidl/NDR/Parser: do array range validation in ParseArrayPullGetLength()
metze
(cherry picked from commit 3e0e6f56a671b40b21c37838ff292fe8902889bb)
commit df3a0693d7a0f49b3b3171a6a481451413b66918
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 15 13:13:20 2012 +0100
pidl/NDR/Parser: use helper variables for array size and length
metze
(cherry picked from commit e94415cf237d1e434daa5da70e6df0b4b6926bae)
commit e24594dd7ae4a490843aaf7d698bb40638e0d24a
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 15 15:07:08 2012 +0100
pidl/NDR/Parser: remember if we already know the array length
metze
(cherry picked from commit 25f68811af3399c6148fa5d31d932465e27a2125)
commit 918b165760671c755517957aa969844a8935d4e5
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 15 13:07:47 2012 +0100
pidl/NDR/Parser: use ParseArrayPullGetLength() to get the number of array elements (bug #8815 / CVE-2012-1182)
An anonymous researcher and Brian Gorenc (HP DVLabs) working
with HP's Zero Day Initiative program have found this and notified us.
metze
(cherry picked from commit 8e99484dec90690ec1e00c17580150278963e063)
commit ab1e69dc8c2bf81e881d37f7bc9b76a0cf1f40b7
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 15 13:05:39 2012 +0100
pidl/NDR/Parser: split off ParseArrayPullGetSize() and ParseArrayPullGetLength()
metze
(cherry picked from commit dc9c68c8992db8225c93043757c4d33b8814c428)
commit 2041a4e6c52415c743f2ee5c435e5c731dbd8b1c
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 15 13:12:04 2012 +0100
pidl/NDR/Parser: simplify logic in DeclareArrayVariables*()
metze
(cherry picked from commit d15b71523d228f78f317f44181900dbf10b52e33)
commit d4df4ac8133f1030d17cbd2e434806ed8e4e338e
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 15 13:09:51 2012 +0100
pidl/NDR/Parser: declare all union helper variables in ParseUnionPull()
metze
(cherry picked from commit 94622cea2b2f4914b4ced35e952680c20cc4985b)
commit d2e3c0544214f6ed061afeeb3f42dc63c7b5e61e
Author: Karolin Seeger <kseeger at samba.org>
Date: Sat Apr 7 15:20:25 2012 +0200
WHATSNEW: Prepare release notes for 3.6.4.
Karolin
(cherry picked from commit 0d45a24cffef841de5db2344910224e4df9bce3a)
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 57 ++++++++++-
pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 154 +++++++++++++++++++-----------
source3/VERSION | 2 +-
3 files changed, 149 insertions(+), 64 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 92754cf..02ed8dd 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,20 +1,20 @@
=============================
- Release Notes for Samba 3.6.4
- , 2012
+ Release Notes for Samba 3.6.5
+ , 2012
=============================
This is the latest stable release of Samba 3.6.
-Major enhancements in Samba 3.6.4 include:
+Major enhancements in Samba 3.6.5 include:
o
-Changes since 3.6.3:
+Changes since 3.6.4:
--------------------
-o Jeremy Allison <jra at samba.org>
+o Stefan Metzmacher <metze at samba.org>
######################################################################
@@ -40,6 +40,53 @@ Release notes for older releases follow:
----------------------------------------
=============================
+ Release Notes for Samba 3.6.4
+ April 10, 2012
+ =============================
+
+
+This is a security release in order to address
+CVE-2012-1182 ("root" credential remote code execution).
+
+o CVE-2012-1182:
+ Samba 3.0.x to 3.6.3 are affected by a
+ vulnerability that allows remote code
+ execution as the "root" user.
+
+
+Changes since 3.6.3:
+--------------------
+
+
+o Stefan Metzmacher <metze at samba.org>
+ *BUG 8815: PIDL based autogenerated code allows overwriting beyond of
+ allocated array (CVE-2012-1182).
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.6 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+
+
+ =============================
Release Notes for Samba 3.6.3
January 29, 2012
=============================
diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
index 2078f58..3676d6d 100644
--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
@@ -315,39 +315,99 @@ sub check_null_pointer($$$$)
}
}
-#####################################################################
-# parse an array - pull side
-sub ParseArrayPullHeader($$$$$$)
+sub ParseArrayPullGetSize($$$$$$)
{
my ($self,$e,$l,$ndr,$var_name,$env) = @_;
- my $length;
my $size;
if ($l->{IS_CONFORMANT}) {
- $length = $size = "ndr_get_array_size($ndr, " . get_pointer_to($var_name) . ")";
+ $size = "ndr_get_array_size($ndr, " . get_pointer_to($var_name) . ")";
} elsif ($l->{IS_ZERO_TERMINATED} and $l->{SIZE_IS} == 0 and $l->{LENGTH_IS} == 0) { # Noheader arrays
- $length = $size = "ndr_get_string_size($ndr, sizeof(*$var_name))";
+ $size = "ndr_get_string_size($ndr, sizeof(*$var_name))";
} else {
- $length = $size = ParseExprExt($l->{SIZE_IS}, $env, $e->{ORIGINAL},
+ $size = ParseExprExt($l->{SIZE_IS}, $env, $e->{ORIGINAL},
check_null_pointer($e, $env, sub { $self->pidl(shift); },
"return ndr_pull_error($ndr, NDR_ERR_INVALID_POINTER, \"NULL Pointer for size_is()\");"),
check_fully_dereferenced($e, $env));
}
+ $self->pidl("size_$e->{NAME}_$l->{LEVEL_INDEX} = $size;");
+ my $array_size = "size_$e->{NAME}_$l->{LEVEL_INDEX}";
+
+ if (my $range = has_property($e, "range")) {
+ my ($low, $high) = split(/,/, $range, 2);
+ if ($low < 0) {
+ warning(0, "$low is invalid for the range of an array size");
+ }
+ if ($low == 0) {
+ $self->pidl("if ($array_size > $high) {");
+ } else {
+ $self->pidl("if ($array_size < $low || $array_size > $high) {");
+ }
+ $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");");
+ $self->pidl("}");
+ }
+
+ return $array_size;
+}
+
+#####################################################################
+# parse an array - pull side
+sub ParseArrayPullGetLength($$$$$$;$)
+{
+ my ($self,$e,$l,$ndr,$var_name,$env,$array_size) = @_;
+
+ if (not defined($array_size)) {
+ $array_size = $self->ParseArrayPullGetSize($e, $l, $ndr, $var_name, $env);
+ }
+
+ if (not $l->{IS_VARYING}) {
+ return $array_size;
+ }
+
+ my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")";
+ $self->pidl("length_$e->{NAME}_$l->{LEVEL_INDEX} = $length;");
+ my $array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}";
+
+ if (my $range = has_property($e, "range")) {
+ my ($low, $high) = split(/,/, $range, 2);
+ if ($low < 0) {
+ warning(0, "$low is invalid for the range of an array size");
+ }
+ if ($low == 0) {
+ $self->pidl("if ($array_length > $high) {");
+ } else {
+ $self->pidl("if ($array_length < $low || $array_length > $high) {");
+ }
+ $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");");
+ $self->pidl("}");
+ }
+
+ return $array_length;
+}
+
+#####################################################################
+# parse an array - pull side
+sub ParseArrayPullHeader($$$$$$)
+{
+ my ($self,$e,$l,$ndr,$var_name,$env) = @_;
+
if ((!$l->{IS_SURROUNDING}) and $l->{IS_CONFORMANT}) {
$self->pidl("NDR_CHECK(ndr_pull_array_size($ndr, " . get_pointer_to($var_name) . "));");
}
if ($l->{IS_VARYING}) {
$self->pidl("NDR_CHECK(ndr_pull_array_length($ndr, " . get_pointer_to($var_name) . "));");
- $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")";
}
- if ($length ne $size) {
- $self->pidl("if ($length > $size) {");
+ my $array_size = $self->ParseArrayPullGetSize($e, $l, $ndr, $var_name, $env);
+ my $array_length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env, $array_size);
+
+ if ($array_length ne $array_size) {
+ $self->pidl("if ($array_length > $array_size) {");
$self->indent;
- $self->pidl("return ndr_pull_error($ndr, NDR_ERR_ARRAY_SIZE, \"Bad array size %u should exceed array length %u\", $size, $length);");
+ $self->pidl("return ndr_pull_error($ndr, NDR_ERR_ARRAY_SIZE, \"Bad array size %u should exceed array length %u\", $array_size, $array_length);");
$self->deindent;
$self->pidl("}");
}
@@ -377,10 +437,10 @@ sub ParseArrayPullHeader($$$$$$)
}
if (ArrayDynamicallyAllocated($e,$l) and not is_charset_array($e,$l)) {
- $self->AllocateArrayLevel($e,$l,$ndr,$var_name,$size);
+ $self->AllocateArrayLevel($e,$l,$ndr,$var_name,$array_size);
}
- return $length;
+ return $array_length;
}
sub compression_alg($$)
@@ -999,6 +1059,7 @@ sub ParseElementPullLevel
my($self,$e,$l,$ndr,$var_name,$env,$primitives,$deferred) = @_;
my $ndr_flags = CalcNdrFlags($l, $primitives, $deferred);
+ my $array_length = undef;
if ($l->{TYPE} eq "ARRAY" and ($l->{IS_VARYING} or $l->{IS_CONFORMANT})) {
$var_name = get_pointer_to($var_name);
@@ -1012,20 +1073,7 @@ sub ParseElementPullLevel
$self->ParseSubcontextPullEnd($e, $l, $ndr, $env);
} elsif ($l->{TYPE} eq "ARRAY") {
my $length = $self->ParseArrayPullHeader($e, $l, $ndr, $var_name, $env);
-
- if (my $range = has_property($e, "range")) {
- my ($low, $high) = split(/,/, $range, 2);
- if ($low < 0) {
- warning(0, "$low is invalid for the range of an array size");
- }
- if ($low == 0) {
- $self->pidl("if ($length > $high) {");
- } else {
- $self->pidl("if ($length < $low || $length > $high) {");
- }
- $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");");
- $self->pidl("}");
- }
+ $array_length = $length;
my $nl = GetNextLevel($e, $l);
@@ -1091,26 +1139,12 @@ sub ParseElementPullLevel
}
} elsif ($l->{TYPE} eq "ARRAY" and
not has_fast_array($e,$l) and not is_charset_array($e, $l)) {
- my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL});
+ my $length = $array_length;
my $counter = "cntr_$e->{NAME}_$l->{LEVEL_INDEX}";
my $array_name = $var_name;
- if ($l->{IS_VARYING}) {
- $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")";
- }
-
- if (my $range = has_property($e, "range")) {
- my ($low, $high) = split(/,/, $range, 2);
- if ($low < 0) {
- warning(0, "$low is invalid for the range of an array size");
- }
- if ($low == 0) {
- $self->pidl("if ($length > $high) {");
- } else {
- $self->pidl("if ($length < $low || $length > $high) {");
- }
- $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");");
- $self->pidl("}");
+ if (not defined($length)) {
+ $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env);
}
$var_name = get_array_element($var_name, $counter);
@@ -1527,16 +1561,21 @@ sub DeclarePtrVariables($$)
}
}
-sub DeclareArrayVariables($$)
+sub DeclareArrayVariables($$;$)
{
- my ($self,$e) = @_;
+ my ($self,$e,$pull) = @_;
foreach my $l (@{$e->{LEVELS}}) {
+ next if ($l->{TYPE} ne "ARRAY");
+ if (defined($pull)) {
+ $self->pidl("uint32_t size_$e->{NAME}_$l->{LEVEL_INDEX} = 0;");
+ if ($l->{IS_VARYING}) {
+ $self->pidl("uint32_t length_$e->{NAME}_$l->{LEVEL_INDEX} = 0;");
+ }
+ }
next if has_fast_array($e,$l);
next if is_charset_array($e,$l);
- if ($l->{TYPE} eq "ARRAY") {
- $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};");
- }
+ $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};");
}
}
@@ -1545,15 +1584,14 @@ sub DeclareArrayVariablesNoZero($$$)
my ($self,$e,$env) = @_;
foreach my $l (@{$e->{LEVELS}}) {
+ next if ($l->{TYPE} ne "ARRAY");
next if has_fast_array($e,$l);
next if is_charset_array($e,$l);
- if ($l->{TYPE} eq "ARRAY") {
- my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL});
- if ($length eq "0") {
+ my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL});
+ if ($length eq "0") {
warning($e->{ORIGINAL}, "pointless array cntr: 'cntr_$e->{NAME}_$l->{LEVEL_INDEX}': length=$length");
- } else {
+ } else {
$self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};");
- }
}
}
}
@@ -1619,7 +1657,7 @@ sub ParseStructPull($$$$)
# declare any internal pointers we need
foreach my $e (@{$struct->{ELEMENTS}}) {
$self->DeclarePtrVariables($e);
- $self->DeclareArrayVariables($e);
+ $self->DeclareArrayVariables($e, "pull");
$self->DeclareMemCtxVariables($e);
}
@@ -1882,8 +1920,6 @@ sub ParseUnionPullPrimitives($$$$$)
if ($el->{TYPE} ne "EMPTY") {
$self->indent;
- $self->DeclarePtrVariables($el);
- $self->DeclareArrayVariables($el);
if (defined($e->{PROPERTIES}{relative_base})) {
$self->pidl("NDR_CHECK(ndr_pull_align($ndr, $el->{ALIGN}));");
# set the current offset as base for relative pointers
@@ -1960,6 +1996,8 @@ sub ParseUnionPull($$$$)
next if ($el->{TYPE} eq "EMPTY");
next if ($double_cases{"$el->{NAME}"});
$self->DeclareMemCtxVariables($el);
+ $self->DeclarePtrVariables($el);
+ $self->DeclareArrayVariables($el, "pull");
$double_cases{"$el->{NAME}"} = 1;
}
@@ -2325,7 +2363,7 @@ sub ParseFunctionPull($$)
# declare any internal pointers we need
foreach my $e (@{$fn->{ELEMENTS}}) {
$self->DeclarePtrVariables($e);
- $self->DeclareArrayVariables($e);
+ $self->DeclareArrayVariables($e, "pull");
}
my %double_cases = ();
diff --git a/source3/VERSION b/source3/VERSION
index eb036f7..1149f0c 100644
--- a/source3/VERSION
+++ b/source3/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=3
SAMBA_VERSION_MINOR=6
-SAMBA_VERSION_RELEASE=4
+SAMBA_VERSION_RELEASE=5
########################################################
# Bug fix releases use a letter for the patch revision #
--
Samba Shared Repository
More information about the samba-cvs
mailing list