Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 153305 Details for
Bug 222299
net-fs/samba <3.0.28a-r1 "receive_smb_raw()" Buffer Overflow Vulnerability (CVE-2008-1105)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
samba-3.0.28a-CVE-2008-1105.patch
samba-3.0.28a-CVE-2008-1105.patch (text/plain), 5.64 KB, created by
Robert Buchholz (RETIRED)
on 2008-05-16 10:24:40 UTC
(
hide
)
Description:
samba-3.0.28a-CVE-2008-1105.patch
Filename:
MIME Type:
Creator:
Robert Buchholz (RETIRED)
Created:
2008-05-16 10:24:40 UTC
Size:
5.64 KB
patch
obsolete
>diff --git a/source/client/client.c b/source/client/client.c >index 3f96f63..e87623a 100644 >--- a/source/client/client.c >+++ b/source/client/client.c >@@ -3626,7 +3626,7 @@ static void readline_callback(void) > session keepalives and then drop them here. > */ > if (FD_ISSET(cli->fd,&fds)) { >- if (!receive_smb(cli->fd,cli->inbuf,0)) { >+ if (!receive_smb(cli->fd,cli->inbuf,cli->bufsize,0)) { > DEBUG(0, ("Read from server failed, maybe it closed the " > "connection\n")); > return; >diff --git a/source/client/smbctool.c b/source/client/smbctool.c >index 2063418..a18505b 100644 >--- a/source/client/smbctool.c >+++ b/source/client/smbctool.c >@@ -3304,7 +3304,7 @@ static void readline_callback(void) > session keepalives and then drop them here. > */ > if (FD_ISSET(cli->fd,&fds)) { >- receive_smb(cli->fd,cli->inbuf,0); >+ receive_smb(cli->fd,cli->inbuf,cli->bufsize,0); > goto again; > } > >diff --git a/source/lib/util_sock.c b/source/lib/util_sock.c >index 94c5e82..4715ca7 100644 >--- a/source/lib/util_sock.c >+++ b/source/lib/util_sock.c >@@ -654,14 +654,13 @@ ssize_t read_smb_length(int fd, char *inbuf, unsigned int timeout) > } > > /**************************************************************************** >- Read an smb from a fd. Note that the buffer *MUST* be of size >- BUFFER_SIZE+SAFETY_MARGIN. >+ Read an smb from a fd. > The timeout is in milliseconds. > This function will return on receipt of a session keepalive packet. > Doesn't check the MAC on signed packets. > ****************************************************************************/ > >-BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout) >+BOOL receive_smb_raw(int fd, char *buffer, size_t buflen, unsigned int timeout) > { > ssize_t len,ret; > >@@ -682,25 +681,18 @@ BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout) > return False; > } > >- /* >- * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes >- * of header. Don't print the error if this fits.... JRA. >- */ >- >- if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) { >+ if (len > buflen) { > DEBUG(0,("Invalid packet length! (%lu bytes).\n",(unsigned long)len)); >- if (len > BUFFER_SIZE + (SAFETY_MARGIN/2)) { > >- /* >- * Correct fix. smb_read_error may have already been >- * set. Only set it here if not already set. Global >- * variables still suck :-). JRA. >- */ >+ /* >+ * smb_read_error may have already been >+ * set. Only set it here if not already set. Global >+ * variables still suck :-). JRA. >+ */ > >- if (smb_read_error == 0) >- smb_read_error = READ_ERROR; >- return False; >- } >+ if (smb_read_error == 0) >+ smb_read_error = READ_ERROR; >+ return False; > } > > if(len > 0) { >@@ -730,9 +722,9 @@ BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout) > Checks the MAC on signed packets. > ****************************************************************************/ > >-BOOL receive_smb(int fd, char *buffer, unsigned int timeout) >+BOOL receive_smb(int fd, char *buffer, size_t buflen, unsigned int timeout) > { >- if (!receive_smb_raw(fd, buffer, timeout)) { >+ if (!receive_smb_raw(fd, buffer, buflen, timeout)) { > return False; > } > >diff --git a/source/libsmb/clientgen.c b/source/libsmb/clientgen.c >index c6cef08..7d7ab9e 100644 >--- a/source/libsmb/clientgen.c >+++ b/source/libsmb/clientgen.c >@@ -44,8 +44,7 @@ int cli_set_port(struct cli_state *cli, int port) > } > > /**************************************************************************** >- Read an smb from a fd ignoring all keepalive packets. Note that the buffer >- *MUST* be of size BUFFER_SIZE+SAFETY_MARGIN. >+ Read an smb from a fd ignoring all keepalive packets. > The timeout is in milliseconds > > This is exactly the same as receive_smb except that it never returns >@@ -54,12 +53,12 @@ int cli_set_port(struct cli_state *cli, int port) > should never go into a blocking read. > ****************************************************************************/ > >-static BOOL client_receive_smb(int fd,char *buffer, unsigned int timeout) >+static BOOL client_receive_smb(int fd,char *buffer, size_t bufsize, unsigned int timeout) > { > BOOL ret; > > for(;;) { >- ret = receive_smb_raw(fd, buffer, timeout); >+ ret = receive_smb_raw(fd, buffer, bufsize, timeout); > > if (!ret) { > DEBUG(10,("client_receive_smb failed\n")); >@@ -88,7 +87,7 @@ BOOL cli_receive_smb(struct cli_state *cli) > return False; > > again: >- ret = client_receive_smb(cli->fd,cli->inbuf,cli->timeout); >+ ret = client_receive_smb(cli->fd,cli->inbuf, cli->bufsize, cli->timeout); > > if (ret) { > /* it might be an oplock break request */ >diff --git a/source/smbd/process.c b/source/smbd/process.c >index 8dec719..3d31c29 100644 >--- a/source/smbd/process.c >+++ b/source/smbd/process.c >@@ -521,7 +521,8 @@ static BOOL receive_message_or_smb(char *buffer, int buffer_len, int timeout) > goto again; > } > >- return receive_smb(smbd_server_fd(), buffer, 0); >+ return receive_smb(smbd_server_fd(), buffer, >+ BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE, 0); > } > > /* >diff --git a/source/utils/smbfilter.c b/source/utils/smbfilter.c >index 97d2223..2152e53 100644 >--- a/source/utils/smbfilter.c >+++ b/source/utils/smbfilter.c >@@ -140,7 +140,7 @@ static void filter_child(int c, struct in_addr dest_ip) > if (num <= 0) continue; > > if (c != -1 && FD_ISSET(c, &fds)) { >- if (!receive_smb(c, packet, 0)) { >+ if (!receive_smb(c, packet, BUFFER_SIZE, 0)) { > d_printf("client closed connection\n"); > exit(0); > } >@@ -151,7 +151,7 @@ static void filter_child(int c, struct in_addr dest_ip) > } > } > if (s != -1 && FD_ISSET(s, &fds)) { >- if (!receive_smb(s, packet, 0)) { >+ if (!receive_smb(s, packet, BUFFER_SIZE, 0)) { > d_printf("server closed connection\n"); > exit(0); > }
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 222299
: 153305 |
153419