[SCM] Samba Shared Repository - branch v4-7-test updated

Karolin Seeger kseeger at samba.org
Wed Nov 22 08:08:40 UTC 2017 

The branch, v4-7-test has been updated
       via  cb6ec4d VERSION: Bump version up to 4.7.4...
       via  641af30 Merge tag 'samba-4.7.3' into v4-7-test
       via  d0b59a5 VERSION: Disable GIT_SNAPSHOT for the 4.7.3 release.
       via  6dc9b5f WHATSNEW: Add release notes for Samba 4.7.3.
       via  8c08a4e s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown.
       via  7e17418 s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746
      from  7b28a97 s3: libsmb: smbc_statvfs is missing the supporting SMB2 calls.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test


- Log -----------------------------------------------------------------
commit cb6ec4d50ebc5eb89ef6cff3c4d8f887d329da1b
Author: Karolin Seeger <kseeger at samba.org>
Date:   Wed Nov 22 09:08:06 2017 +0100

    VERSION: Bump version up to 4.7.4...
    
    and re-enable GIT_SNAPSHOT.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

commit 641af304b9d1d55951376a57b41d8396658714e4
Merge: 7b28a97 d0b59a5
Author: Karolin Seeger <kseeger at samba.org>
Date:   Wed Nov 22 09:07:45 2017 +0100

    Merge tag 'samba-4.7.3' into v4-7-test
    
    samba: tag release samba-4.7.3

-----------------------------------------------------------------------

Summary of changes:
 VERSION                |  2 +-
 WHATSNEW.txt           | 75 ++++++++++++++++++++++++++++++++++++++++++++++++--
 source3/smbd/process.c |  7 +++--
 source3/smbd/reply.c   |  5 ++++
 source3/smbd/srvstr.c  | 14 ++++++++++
 5 files changed, 97 insertions(+), 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 0ba31a3..6be993b 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=7
-SAMBA_VERSION_RELEASE=3
+SAMBA_VERSION_RELEASE=4
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 8074a83..4e403ae 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,75 @@
                    =============================
+                   Release Notes for Samba 4.7.3
+                         November 21, 2017
+                   =============================
+
+
+This is a security release in order to address the following defects:
+
+o  CVE-2017-14746 (Use-after-free vulnerability.)
+o  CVE-2017-15275 (Server heap memory information leak.)
+
+
+=======
+Details
+=======
+
+o  CVE-2017-14746:
+   All versions of Samba from 4.0.0 onwards are vulnerable to a use after
+   free vulnerability, where a malicious SMB1 request can be used to
+   control the contents of heap memory via a deallocated heap pointer. It
+   is possible this may be used to compromise the SMB server.
+
+o  CVE-2017-15275:
+   All versions of Samba from 3.6.0 onwards are vulnerable to a heap
+   memory information leak, where server allocated heap memory may be
+   returned to the client without being cleared.
+
+   There is no known vulnerability associated with this error, but
+   uncleared heap memory may contain previously used data that may help
+   an attacker compromise the server via other methods. Uncleared heap
+   memory may potentially contain password hashes or other high-value
+   data.
+
+For more details and workarounds, please see the security advisories:
+
+   o https://www.samba.org/samba/security/CVE-2017-14746.html
+   o https://www.samba.org/samba/security/CVE-2017-15275.html
+
+
+Changes since 4.7.2:
+--------------------
+
+o  Jeremy Allison <jra at samba.org>
+   * BUG 13041: CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug.
+   * BUG 13077: CVE-2017-15275: s3: smbd: Chain code can return uninitialized
+     memory when talloc buffer is grown.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+                   =============================
                    Release Notes for Samba 4.7.2
                          November 15, 2017
                    =============================
@@ -51,8 +122,8 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
 
                    =============================
                    Release Notes for Samba 4.7.1
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index 3765739..3544266 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1855,12 +1855,13 @@ void smb_request_done(struct smb_request *req)
 
 		next->vuid = SVAL(req->outbuf, smb_uid);
 		next->tid  = SVAL(req->outbuf, smb_tid);
-		status = smb1srv_tcon_lookup(req->xconn, req->tid,
+		status = smb1srv_tcon_lookup(req->xconn, next->tid,
 					     now, &tcon);
+
 		if (NT_STATUS_IS_OK(status)) {
-			req->conn = tcon->compat;
+			next->conn = tcon->compat;
 		} else {
-			req->conn = NULL;
+			next->conn = NULL;
 		}
 		next->chain_fsp = req->chain_fsp;
 		next->inbuf = req->inbuf;
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 7b07078..81acedf 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -923,6 +923,11 @@ void reply_tcon_and_X(struct smb_request *req)
 		}
 
 		TALLOC_FREE(tcon);
+		/*
+		 * This tree id is gone. Make sure we can't re-use it
+		 * by accident.
+		 */
+		req->tid = 0;
 	}
 
 	if ((passlen > MAX_PASS_LEN) || (passlen >= req->buflen)) {
diff --git a/source3/smbd/srvstr.c b/source3/smbd/srvstr.c
index 56dceba..c2d70b3 100644
--- a/source3/smbd/srvstr.c
+++ b/source3/smbd/srvstr.c
@@ -110,6 +110,20 @@ ssize_t message_push_string(uint8_t **outbuf, const char *str, int flags)
 		DEBUG(0, ("srvstr_push failed\n"));
 		return -1;
 	}
+
+	/*
+	 * Ensure we clear out the extra data we have
+	 * grown the buffer by, but not written to.
+	 */
+	if (buf_size + result < buf_size) {
+		return -1;
+	}
+	if (grow_size < result) {
+		return -1;
+	}
+
+	memset(tmp + buf_size + result, '\0', grow_size - result);
+
 	set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
 
 	*outbuf = tmp;


-- 
Samba Shared Repository

More information about the samba-cvs mailing list