[samba-bugs@samba.org: DO NOT REPLY [Bug 5087] Crash of smbd
after upgrade to 3.0.27]
simo
idra at samba.org
Fri Nov 16 16:16:57 GMT 2007
I already found that and discussed it with Jeremy, we thought that the
code path that pass -1 could never be really taken.
Are we sure the patch used by the report is my latest patch with the
lanman.c fix ?
If so then our analysis was probably not 100% correct, but this is
strange as I didn't experience any segfault during package testing.
Simo.
On Fri, 2007-11-16 at 16:36 +0100, Michael Adam wrote:
> Hi Jeremy and Jerry,
>
> Samba 3.0.27 panics ("push_ascii - dest_len == -1").
>
> How do we proceed with this one? We have to find all the calls
> that eventually lead to push_ascii called with dest_len == -1.
> My analysis has produced quite a few (see below).
>
> I can't fix all that right now, but I could do some more work on
> that later.
>
> Michael
>
> ----- Forwarded message from samba-bugs at samba.org -----
>
> Subject: DO NOT REPLY [Bug 5087] Crash of smbd after upgrade to 3.0.27
> To: samba-qa at samba.org
> From: samba-bugs at samba.org
> Date: Fri, 16 Nov 2007 09:20:46 -0600 (CST)
>
> https://bugzilla.samba.org/show_bug.cgi?id=5087
>
>
>
>
>
> ------- Comment #10 from obnox at samba.org 2007-11-16 09:20 CST -------
> Analysis of the problem:
>
> The panic was introduced by the patch for CVE-2007-4572:
>
> push_ascii() now panics when called with "-1" as dest_len parameter.
> (In order to avoid buffer overflows - This -1 used to mean unlimited
> dest len before.)
>
> Now there are (at least) roughly 100 indirect callers of push_ascii
> left that explicitly pass -1 for dest_len:
> roughly 40 through srvstr_push and roughly 60 through clistr_push.
>
> This is too much for a really quick fix.
> I would like to hear Jeremy's opinion on this.
>
> Michael
>
>
> --
> Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
> ------- You are receiving this mail because: -------
> You are the QA contact for the bug, or are watching the QA contact.
>
> ----- End forwarded message -----
>
--
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Senior Software Engineer at Red Hat Inc. <ssorce at redhat.com>
More information about the samba-technical
mailing list