Security patches for Samba 3.3.x (CVE-2010-{1635,1642})

Eren Türkay eren at
Wed May 26 10:28:50 MDT 2010


A NULL pointer dereference (#7229, CVE-2010-1635) and a crash with CUPS
printers (#7298, CVE-2010-1642) have been fixed with the release of
3.4.8. Accordingly to bugzilla, the fixes were also committed to

It seems that 3.3.x is also vulnerable as the same code seems to exist in this
release as well. However, I couldn't see any reference for 3.3.x being
vulnerable. I would really appreciate a statement from Samba team as to
the status of 3.3.x

Attached is the patch that I made accordingly to the changes committed to
GIT repository, and hopefully it fixes the issues.

-------------- next part --------------
Index: samba-3.3.12/source/smbd/service.c
--- samba-3.3.12.orig/source/smbd/service.c
+++ samba-3.3.12/source/smbd/service.c
@@ -409,7 +409,7 @@ int find_service(fstring service)
 		if ((iPrinterService = lp_servicenumber(PRINTERS_NAME)) < 0) {
 			iPrinterService = load_registry_service(PRINTERS_NAME);
-		if (iPrinterService) {
+		if (iPrinterService >= 0) {
 			DEBUG(3,("checking whether %s is a valid printer name...\n", service));
 			if (pcap_printername_ok(service)) {
 				DEBUG(3,("%s is a valid printer name\n", service));
Index: samba-3.3.12/source/smbd/sesssetup.c
--- samba-3.3.12.orig/source/smbd/sesssetup.c
+++ samba-3.3.12/source/smbd/sesssetup.c
@@ -1199,7 +1199,7 @@ static void reply_sesssetup_and_X_spnego
 	file_save("negotiate.dat",, blob1.length);
-	p2 = (char *)req->inbuf + smb_vwv13 + data_blob_len;
+	p2 = (char *)req->inbuf + smb_vwv13 + blob1.length;
 	p2 += srvstr_pull_buf(req->inbuf, smb_flag2, native_os, p2,
 			      sizeof(native_os), STR_TERMINATE);
 	p2 += srvstr_pull_buf(req->inbuf, smb_flag2, native_lanman, p2,

More information about the samba-technical mailing list