[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Thu Jun 18 14:15:05 MDT 2015


The branch, master has been updated
       via  5a82cc2 s3: smbd: Codenomicon crash in do_smb_load_module().
       via  5deb816 dcerpc: NULL pointer deref crash in handling rpc request.
      from  a680d60 selftest: Add blackbox test for srvsvc calls from rpcclient

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 5a82cc21379e3fe28441cd82647313c9390b41e7
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Jun 18 10:21:07 2015 -0700

    s3: smbd: Codenomicon crash in do_smb_load_module().
    
    Inside api_pipe_bind_req() we look for a pipe module name using
    
    dcerpc_default_transport_endpoint(pkt,
                                    NCACN_NP, table)
    
    which returns NULL when given invalid pkt data from the Codenomicon fuzzer.
    
    This gets passed directly to smb_probe_module(), which then calls
    do_smb_load_module() which tries to deref the (NULL) module name.
    
    https://bugzilla.samba.org/show_bug.cgi?id=11342
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Ira Cooper <ira at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Thu Jun 18 22:14:01 CEST 2015 on sn-devel-104

commit 5deb8169fecef108b4f8010446398475ba8b46de
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Jun 18 09:57:42 2015 -0700

    dcerpc: NULL pointer deref crash in handling rpc request.
    
    source4/rpc_server/dcerpc_server.c:dcesrv_request() calls gensec_have_feature().
    
    Codenomicon found a code path that allows the client to send a
    request that calls into this function without ever having set
    up security. So call->conn->auth_state.gensec_security exists
    (gensec has been initialized when the RPC pipe is set up)
    but call->conn->auth_state.gensec_security->ops has not been
    initialized. We dereference the NULL pointer and crash.
    
    An alternate way to fix this would be to create a new
    public bool gensec_initialized(() function and call that
    inside dcesrv_request() instead of doing a null
    check on call->conn->auth_state.gensec_security,
    but that's a more invasive fix we can add later.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11341
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Alexander Bokovoy <ab at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 auth/gensec/gensec.c | 2 +-
 lib/util/modules.c   | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
index 8b5c02d..d9504f7 100644
--- a/auth/gensec/gensec.c
+++ b/auth/gensec/gensec.c
@@ -533,7 +533,7 @@ _PUBLIC_ void gensec_want_feature(struct gensec_security *gensec_security,
 _PUBLIC_ bool gensec_have_feature(struct gensec_security *gensec_security,
 			 uint32_t feature)
 {
-	if (!gensec_security->ops->have_feature) {
+	if (!gensec_security->ops || !gensec_security->ops->have_feature) {
 		return false;
 	}
 
diff --git a/lib/util/modules.c b/lib/util/modules.c
index 828f33a..1f00dd8 100644
--- a/lib/util/modules.c
+++ b/lib/util/modules.c
@@ -161,6 +161,11 @@ static NTSTATUS do_smb_load_module(const char *subsystem,
 	char *full_path = NULL;
 	TALLOC_CTX *ctx = talloc_stackframe();
 
+	if (module_name == NULL) {
+		TALLOC_FREE(ctx);
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
 	/* Check for absolute path */
 
 	DEBUG(5, ("%s module '%s'\n", is_probe ? "Probing" : "Loading", module_name));


-- 
Samba Shared Repository


More information about the samba-cvs mailing list