[SCM] Samba Shared Repository - branch v4-1-test updated
Karolin Seeger
kseeger at samba.org
Mon Jun 23 03:24:01 MDT 2014
The branch, v4-1-test has been updated
via 3390f57 VERSION: Bump version up to 4.1.10.
via dffc7ba Merge tag 'samba-4.1.9' into v4-1-test
via 42e655f VERSION: Disable git snapshot for the 4.1.8 release.
via 9842dc8 WHATSNEW: Add release notes for Samba 4.1.9.
via a88baed s3: smbd - fix processing of packets with invalid DOS charset conversions.
via a04875b s3: nmbd: Fix bug 10633 - nmbd denial of service
via 33f37c5 VERSION: Bump version number up to 4.1.9...
from 5663c4a winbindd: Ensure we do not look at rid_array before checking if it was returned
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-1-test
- Log -----------------------------------------------------------------
commit 3390f5702296c4411c9c955565f23cbfb5896a71
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Jun 23 11:23:22 2014 +0200
VERSION: Bump version up to 4.1.10.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit dffc7bab36dda01a9c8f6d6d34b9710f5d83aa1d
Merge: 5663c4ac8b7f2c1fbd59177423d35cf8ad31dd82 42e655f1c9fd4c5b22a5b9d3a228e0a90432952f
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Jun 23 11:22:47 2014 +0200
Merge tag 'samba-4.1.9' into v4-1-test
samba: tag release samba-4.1.9
commit 42e655f1c9fd4c5b22a5b9d3a228e0a90432952f
Author: Karolin Seeger <kseeger at samba.org>
Date: Sun Jun 22 16:42:41 2014 +0200
VERSION: Disable git snapshot for the 4.1.8 release.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10633
CVE-2014-0244: nmbd denial of service
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10654
CVE-2014-3493: Segmentation fault in smbd_marshall_dir_entry()'s
SMB_FIND_FILE_UNIX handler because push_ascii() has returned(uint32_t)-1
via srvstr_push(), incrementing p by 4GB
Signed-off-by: Karolin Seeger <kseeger at samba.org>
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 61 +++++++++++++++++++++++++++++++++++++++++++++-
source3/lib/charcnv.c | 26 +++++++++++++-------
source3/lib/system.c | 7 +----
source3/libsmb/clirap.c | 4 +-
source3/smbd/lanman.c | 4 +-
6 files changed, 83 insertions(+), 21 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 1faf36b..5c0bf06 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=1
-SAMBA_VERSION_RELEASE=9
+SAMBA_VERSION_RELEASE=10
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index fc93ef5..7ae1ce9 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,61 @@
=============================
+ Release Notes for Samba 4.1.9
+ June 23, 2014
+ =============================
+
+
+This is a security release in order to address
+CVE-2014-0244 (Denial of service - CPU loop) and
+CVE-2014-3493 (Denial of service - Server crash/memory corruption).
+
+o CVE-2014-0244:
+ All current released versions of Samba are vulnerable to a denial of
+ service on the nmbd NetBIOS name services daemon. A malformed packet
+ can cause the nmbd server to loop the CPU and prevent any further
+ NetBIOS name service.
+
+ This flaw is not exploitable beyond causing the code to loop expending
+ CPU resources.
+
+o CVE-2014-3493:
+ All current released versions of Samba are affected by a denial of service
+ crash involving overwriting memory on an authenticated connection to the
+ smbd file server.
+
+
+Changes since 4.1.8:
+--------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 10633: CVE-2014-0244: Fix nmbd denial of service.
+ * BUG 10654: CVE-2014-3493: Fix segmentation fault in
+ smbd_marshall_dir_entry()'s SMB_FIND_FILE_UNIX handler.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ =============================
Release Notes for Samba 4.1.8
June 3, 2014
=============================
@@ -112,8 +169,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 4.1.7
diff --git a/source3/lib/charcnv.c b/source3/lib/charcnv.c
index 71d2c3a..2189812 100644
--- a/source3/lib/charcnv.c
+++ b/source3/lib/charcnv.c
@@ -46,9 +46,9 @@ void gfree_charcnv(void)
**/
size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags)
{
- size_t src_len = strlen(src);
+ size_t src_len = 0;
char *tmpbuf = NULL;
- size_t size;
+ size_t size = 0;
bool ret;
/* No longer allow a length of -1. */
@@ -62,24 +62,32 @@ size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags)
smb_panic("malloc fail");
}
if (!strupper_m(tmpbuf)) {
+ if ((flags & (STR_TERMINATE|STR_TERMINATE_ASCII)) &&
+ dest &&
+ dest_len > 0) {
+ *(char *)dest = 0;
+ }
SAFE_FREE(tmpbuf);
- return (size_t)-1;
+ return 0;
}
src = tmpbuf;
}
+ src_len = strlen(src);
if (flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) {
src_len++;
}
ret = convert_string(CH_UNIX, CH_DOS, src, src_len, dest, dest_len, &size);
- if (ret == false &&
- (flags & (STR_TERMINATE | STR_TERMINATE_ASCII))
- && dest_len > 0) {
- ((char *)dest)[0] = '\0';
- }
SAFE_FREE(tmpbuf);
- return ret ? size : (size_t)-1;
+ if (ret == false) {
+ if ((flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) &&
+ dest_len > 0) {
+ ((char *)dest)[0] = '\0';
+ }
+ return 0;
+ }
+ return size;
}
/********************************************************************
diff --git a/source3/lib/system.c b/source3/lib/system.c
index 8252e4f..4f38597 100644
--- a/source3/lib/system.c
+++ b/source3/lib/system.c
@@ -169,6 +169,7 @@ ssize_t sys_send(int s, const void *msg, size_t len, int flags)
/*******************************************************************
A recvfrom wrapper that will deal with EINTR.
+NB. As used with non-blocking sockets, return on EAGAIN/EWOULDBLOCK
********************************************************************/
ssize_t sys_recvfrom(int s, void *buf, size_t len, int flags, struct sockaddr *from, socklen_t *fromlen)
@@ -177,11 +178,7 @@ ssize_t sys_recvfrom(int s, void *buf, size_t len, int flags, struct sockaddr *f
do {
ret = recvfrom(s, buf, len, flags, from, fromlen);
-#if defined(EWOULDBLOCK)
- } while (ret == -1 && (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK));
-#else
- } while (ret == -1 && (errno == EINTR || errno == EAGAIN));
-#endif
+ } while (ret == -1 && (errno == EINTR));
return ret;
}
diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c
index 036919f..64e3767 100644
--- a/source3/libsmb/clirap.c
+++ b/source3/libsmb/clirap.c
@@ -327,7 +327,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype,
sizeof(param) - PTR_DIFF(p,param) - 1,
STR_TERMINATE|STR_UPPER);
- if (len == (size_t)-1) {
+ if (len == 0) {
SAFE_FREE(last_entry);
return false;
}
@@ -339,7 +339,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype,
sizeof(param) - PTR_DIFF(p,param) - 1,
STR_TERMINATE);
- if (len == (size_t)-1) {
+ if (len == 0) {
SAFE_FREE(last_entry);
return false;
}
diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c
index 1b734a7..0a0ab6b 100644
--- a/source3/smbd/lanman.c
+++ b/source3/smbd/lanman.c
@@ -128,7 +128,7 @@ static int CopyExpanded(connection_struct *conn,
return 0;
}
l = push_ascii(*dst,buf,*p_space_remaining, STR_TERMINATE);
- if (l == -1) {
+ if (l == 0) {
return 0;
}
(*dst) += l;
@@ -143,7 +143,7 @@ static int CopyAndAdvance(char **dst, char *src, int *n)
return 0;
}
l = push_ascii(*dst,src,*n, STR_TERMINATE);
- if (l == -1) {
+ if (l == 0) {
return 0;
}
(*dst) += l;
--
Samba Shared Repository
More information about the samba-cvs
mailing list