[SCM] Samba Shared Repository - branch v4-0-test updated
Karolin Seeger
kseeger at samba.org
Mon Aug 5 04:43:58 MDT 2013
The branch, v4-0-test has been updated
via f5bd128 VERSION: Bump version number up to 4.0.9.
via 3b7e719 Merge tag 'samba-4.0.8' into v4-0-test
via dbf87d3 WHATSNEW: Add release notes for Samba 4.0.8.
via 03656a7 Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server to loop with DOS.
via b4bfcdf Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server to loop with DOS.
via 4df0ef0 VERSION: Bump version number up to 4.0.8.
from 221cffa s4-lib/socket: Allocate a the larger sockaddr_un and not just a sockaddr_in in unixdom_get_my_addr()
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test
- Log -----------------------------------------------------------------
commit f5bd1286f124dd03161dcd876681c3df1d4793f3
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Aug 5 12:41:23 2013 +0200
VERSION: Bump version number up to 4.0.9.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 3b7e7196c6854cd549a0d2fab39165e0c13fa88f
Merge: 221cffa25510b6115490b5c48d60ec231357a068 dbf87d3867c1771a09029b733c8de1e134e270e4
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Aug 5 12:40:37 2013 +0200
Merge tag 'samba-4.0.8' into v4-0-test
samba: tag release samba-4.0.8
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 60 +++++++++++++++++++++++++++++++++++++++++-
source3/smbd/nttrans.c | 12 ++++++++
source4/libcli/raw/raweas.c | 7 +++-
4 files changed, 76 insertions(+), 5 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index be94a07..6cb5cba 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=0
-SAMBA_VERSION_RELEASE=8
+SAMBA_VERSION_RELEASE=9
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 6ab15c8..503aff0 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,60 @@
=============================
+ Release Notes for Samba 4.0.8
+ August 05, 2013
+ =============================
+
+
+This is a security release in order to address
+CVE-2013-4124 (Missing integer wrap protection in EA list reading can cause
+server to loop with DOS).
+
+o CVE-2013-4124:
+ All current released versions of Samba are vulnerable to a denial of
+ service on an authenticated or guest connection. A malformed packet
+ can cause the smbd server to loop the CPU performing memory
+ allocations and preventing any further service.
+
+ A connection to a file share, or a local account is needed to exploit
+ this problem, either authenticated or unauthenticated if guest
+ connections are allowed.
+
+ This flaw is not exploitable beyond causing the code to loop
+ allocating memory, which may cause the machine to exceed memory
+ limits.
+
+
+Changes since 4.0.7:
+--------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 10010: CVE-2013-4124: Missing integer wrap protection in EA list
+ reading can cause server to loop with DOS.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.0 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ =============================
Release Notes for Samba 4.0.7
July 2, 2013
=============================
@@ -103,8 +159,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 4.0.6
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 54e475d..f70fb36 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -993,7 +993,19 @@ struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t
if (next_offset == 0) {
break;
}
+
+ /* Integer wrap protection for the increment. */
+ if (offset + next_offset < offset) {
+ break;
+ }
+
offset += next_offset;
+
+ /* Integer wrap protection for while loop. */
+ if (offset + 4 < offset) {
+ break;
+ }
+
}
return ea_list_head;
diff --git a/source4/libcli/raw/raweas.c b/source4/libcli/raw/raweas.c
index 5f06e70..b626b31 100644
--- a/source4/libcli/raw/raweas.c
+++ b/source4/libcli/raw/raweas.c
@@ -243,9 +243,12 @@ NTSTATUS ea_pull_list_chained(const DATA_BLOB *blob,
return NT_STATUS_INVALID_PARAMETER;
}
- ofs += next_ofs;
+ if (ofs + next_ofs < ofs) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
- if (ofs+4 > blob->length) {
+ ofs += next_ofs;
+ if (ofs+4 > blob->length || ofs+4 < ofs) {
return NT_STATUS_INVALID_PARAMETER;
}
n++;
--
Samba Shared Repository
More information about the samba-cvs
mailing list