[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Thu Jun 18 14:15:05 MDT 2015
The branch, master has been updated
via 5a82cc2 s3: smbd: Codenomicon crash in do_smb_load_module().
via 5deb816 dcerpc: NULL pointer deref crash in handling rpc request.
from a680d60 selftest: Add blackbox test for srvsvc calls from rpcclient
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 5a82cc21379e3fe28441cd82647313c9390b41e7
Author: Jeremy Allison <jra at samba.org>
Date: Thu Jun 18 10:21:07 2015 -0700
s3: smbd: Codenomicon crash in do_smb_load_module().
Inside api_pipe_bind_req() we look for a pipe module name using
dcerpc_default_transport_endpoint(pkt,
NCACN_NP, table)
which returns NULL when given invalid pkt data from the Codenomicon fuzzer.
This gets passed directly to smb_probe_module(), which then calls
do_smb_load_module() which tries to deref the (NULL) module name.
https://bugzilla.samba.org/show_bug.cgi?id=11342
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ira Cooper <ira at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Jun 18 22:14:01 CEST 2015 on sn-devel-104
commit 5deb8169fecef108b4f8010446398475ba8b46de
Author: Jeremy Allison <jra at samba.org>
Date: Thu Jun 18 09:57:42 2015 -0700
dcerpc: NULL pointer deref crash in handling rpc request.
source4/rpc_server/dcerpc_server.c:dcesrv_request() calls gensec_have_feature().
Codenomicon found a code path that allows the client to send a
request that calls into this function without ever having set
up security. So call->conn->auth_state.gensec_security exists
(gensec has been initialized when the RPC pipe is set up)
but call->conn->auth_state.gensec_security->ops has not been
initialized. We dereference the NULL pointer and crash.
An alternate way to fix this would be to create a new
public bool gensec_initialized(() function and call that
inside dcesrv_request() instead of doing a null
check on call->conn->auth_state.gensec_security,
but that's a more invasive fix we can add later.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11341
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/gensec/gensec.c | 2 +-
lib/util/modules.c | 5 +++++
2 files changed, 6 insertions(+), 1 deletion(-)
Changeset truncated at 500 lines:
diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
index 8b5c02d..d9504f7 100644
--- a/auth/gensec/gensec.c
+++ b/auth/gensec/gensec.c
@@ -533,7 +533,7 @@ _PUBLIC_ void gensec_want_feature(struct gensec_security *gensec_security,
_PUBLIC_ bool gensec_have_feature(struct gensec_security *gensec_security,
uint32_t feature)
{
- if (!gensec_security->ops->have_feature) {
+ if (!gensec_security->ops || !gensec_security->ops->have_feature) {
return false;
}
diff --git a/lib/util/modules.c b/lib/util/modules.c
index 828f33a..1f00dd8 100644
--- a/lib/util/modules.c
+++ b/lib/util/modules.c
@@ -161,6 +161,11 @@ static NTSTATUS do_smb_load_module(const char *subsystem,
char *full_path = NULL;
TALLOC_CTX *ctx = talloc_stackframe();
+ if (module_name == NULL) {
+ TALLOC_FREE(ctx);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
/* Check for absolute path */
DEBUG(5, ("%s module '%s'\n", is_probe ? "Probing" : "Loading", module_name));
--
Samba Shared Repository
More information about the samba-cvs
mailing list