[samba-bugs@samba.org: DO NOT REPLY [Bug 5087] Crash of smbd after upgrade to 3.0.27]

Michael Adam ma at sernet.de
Fri Nov 16 15:36:30 GMT 2007


Hi Jeremy and Jerry,

Samba 3.0.27 panics ("push_ascii - dest_len == -1").

How do we proceed with this one? We have to find all the calls
that eventually lead to push_ascii called with dest_len == -1.
My analysis has produced quite a few (see below). 

I can't fix all that right now, but I could do some more work on 
that later.

Michael

----- Forwarded message from samba-bugs at samba.org -----

Subject: DO NOT REPLY [Bug 5087] Crash of smbd after upgrade to 3.0.27
To: samba-qa at samba.org
From: samba-bugs at samba.org
Date: Fri, 16 Nov 2007 09:20:46 -0600 (CST)

https://bugzilla.samba.org/show_bug.cgi?id=5087





------- Comment #10 from obnox at samba.org  2007-11-16 09:20 CST -------
Analysis of the problem:

The panic was introduced by the patch for CVE-2007-4572:

push_ascii() now panics when called with "-1" as dest_len parameter.
(In order to avoid buffer overflows - This -1 used to mean unlimited 
dest len before.)

Now there are (at least) roughly 100 indirect callers of push_ascii 
left that explicitly pass -1 for dest_len:
roughly 40 through srvstr_push and roughly 60 through clistr_push.

This is too much for a really quick fix.
I would like to hear Jeremy's opinion on this.

Michael


-- 
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

----- End forwarded message -----

-- 
Michael Adam <ma at sernet.de>
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.SerNet.DE, mailto: Info @ SerNet.DE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 206 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20071116/0b3668c4/attachment.bin


More information about the samba-technical mailing list