[Security Problem] --with-tdbsam

[Yasuma Takeda]

In Samba-JP, "buffer overflow" problem was reported.

If samba is configured with "--with-tdbsam", init_sam_from_buffer function
contains a buffer overflow vulnerability.

In a certain case, user can use this vulnerability by changing his password.

Please examine this security problem and take measures to be necessary.

vulnerable version
2.2.3, 2.2.3a, 2.2.4, 2.2.5

-------------- CUT HERE ---------------------------
diff -uNr samba-2.2.5.orig/source/passdb/pdb_tdb.c samba-2.2.5/source/passdb/pdb_tdb.c
--- samba-2.2.5.orig/source/passdb/pdb_tdb.c	Fri May  3 10:03:27 2002
+++ samba-2.2.5/source/passdb/pdb_tdb.c	Mon Jul  1 18:58:05 2002
@@ -81,6 +81,7 @@
 	static uint8	*lm_pw_ptr, *nt_pw_ptr;
 	uint32		len = 0;
 	uint32		lmpwlen, ntpwlen, hourslen;
+	pstring		cvt_buf;
 	BOOL ret = True;
 	BOOL setflag;
 	struct passwd *pw;
@@ -160,9 +161,10 @@
 	if (homedir) setflag = True;
 	else {
 		setflag = False;
-		homedir = strdup(lp_logon_home());
+		pstrcpy(cvt_buf, lp_logon_home());
+		standard_sub_advanced(-1, username, "", gid, cvt_buf);
+		homedir = strdup(cvt_buf);
 		if(!homedir) { ret = False; goto done; }
-		standard_sub_advanced(-1, username, "", gid, homedir);
 		DEBUG(5,("Home directory set back to %s\n", homedir));
 	}
 	pdb_set_homedir(sampass, homedir, setflag);
@@ -170,9 +172,10 @@
 	if (dir_drive) setflag = True;
 	else {
 		setflag = False;
-		dir_drive = strdup(lp_logon_drive());
+		pstrcpy(cvt_buf, lp_logon_drive());
+		standard_sub_advanced(-1, username, "", gid, cvt_buf);
+		dir_drive = strdup(cvt_buf);
 		if(!dir_drive) { ret = False; goto done; }
-		standard_sub_advanced(-1, username, "", gid, dir_drive);
 		DEBUG(5,("Home directory set back to %s\n", dir_drive));
 	}
 	pdb_set_dir_drive(sampass, dir_drive, setflag);
@@ -180,9 +183,10 @@
 	if (logon_script) setflag = True;
 	else {
 		setflag = False;
-		logon_script = strdup(lp_logon_script());
+		pstrcpy(cvt_buf, lp_logon_script());
+		standard_sub_advanced(-1, username, "", gid, cvt_buf);
+		logon_script = strdup(cvt_buf);
 		if(!logon_script) { ret = False; goto done; }
-		standard_sub_advanced(-1, username, "", gid, logon_script);
 		DEBUG(5,("Home directory set back to %s\n", logon_script));
 	}
 	pdb_set_logon_script(sampass, logon_script, setflag);
@@ -190,9 +194,10 @@
 	if (profile_path) setflag = True;
 	else {
 		setflag = False;
-		profile_path = strdup(lp_logon_path());
+		pstrcpy(cvt_buf, lp_logon_path());
+		standard_sub_advanced(-1, username, "", gid, cvt_buf);
+		profile_path = strdup(cvt_buf);
 		if(!profile_path) { ret = False; goto done; }
-		standard_sub_advanced(-1, username, "", gid, profile_path);
 		DEBUG(5,("Home directory set back to %s\n", profile_path));
 	}
 	pdb_set_profile_path(sampass, profile_path, setflag);
------------- END ------------


Regards,
Yasuma Takeda