Security patches for Samba 3.3.x (CVE-2010-{1635,1642})

[Eren Türkay]

Hello,

A NULL pointer dereference (#7229, CVE-2010-1635) and a crash with CUPS
printers (#7298, CVE-2010-1642) have been fixed with the release of
3.4.8. Accordingly to bugzilla, the fixes were also committed to
3.5-test.

It seems that 3.3.x is also vulnerable as the same code seems to exist in this
release as well. However, I couldn't see any reference for 3.3.x being
vulnerable. I would really appreciate a statement from Samba team as to
the status of 3.3.x

Attached is the patch that I made accordingly to the changes committed to
GIT repository, and hopefully it fixes the issues.

Regards,
Eren
-------------- next part --------------
Index: samba-3.3.12/source/smbd/service.c
===================================================================
--- samba-3.3.12.orig/source/smbd/service.c
+++ samba-3.3.12/source/smbd/service.c
@@ -409,7 +409,7 @@ int find_service(fstring service)
 		if ((iPrinterService = lp_servicenumber(PRINTERS_NAME)) < 0) {
 			iPrinterService = load_registry_service(PRINTERS_NAME);
 		}
-		if (iPrinterService) {
+		if (iPrinterService >= 0) {
 			DEBUG(3,("checking whether %s is a valid printer name...\n", service));
 			if (pcap_printername_ok(service)) {
 				DEBUG(3,("%s is a valid printer name\n", service));
Index: samba-3.3.12/source/smbd/sesssetup.c
===================================================================
--- samba-3.3.12.orig/source/smbd/sesssetup.c
+++ samba-3.3.12/source/smbd/sesssetup.c
@@ -1199,7 +1199,7 @@ static void reply_sesssetup_and_X_spnego
 	file_save("negotiate.dat", blob1.data, blob1.length);
 #endif
 
-	p2 = (char *)req->inbuf + smb_vwv13 + data_blob_len;
+	p2 = (char *)req->inbuf + smb_vwv13 + blob1.length;
 	p2 += srvstr_pull_buf(req->inbuf, smb_flag2, native_os, p2,
 			      sizeof(native_os), STR_TERMINATE);
 	p2 += srvstr_pull_buf(req->inbuf, smb_flag2, native_lanman, p2,