Tree - rpms/samba - CentOS Git server

rpms / samba

Blame SOURCES/CVE-2017-12163.patch

Blob History Raw

		a3a04f	`From 364275d1ae8c55242497e7c8804fb28aa3b73465 Mon Sep 17 00:00:00 2001`
		a3a04f	`From: Jeremy Allison <jra@samba.org>`
		a3a04f	`Date: Fri, 8 Sep 2017 10:13:14 -0700`
		a3a04f	`Subject: [PATCH] CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from`
		a3a04f	`writing server memory to file.`
		a3a04f
		a3a04f	`BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020`
		a3a04f
		a3a04f	`Signed-off-by: Jeremy Allison <jra@samba.org>`
		a3a04f	`Signed-off-by: Stefan Metzmacher <metze@samba.org>`
		a3a04f	`---`
		a3a04f	`source3/smbd/reply.c \| 50 ++++++++++++++++++++++++++++++++++++++++++++++++++`
		a3a04f	`1 file changed, 50 insertions(+)`
		a3a04f
		a3a04f	`diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c`
		a3a04f	`index 317143f..7b07078 100644`
		a3a04f	`--- a/source3/smbd/reply.c`
		a3a04f	`+++ b/source3/smbd/reply.c`
		a3a04f	`@@ -4474,6 +4474,9 @@ void reply_writebraw(struct smb_request *req)`
		a3a04f	`}`
		a3a04f
		a3a04f	`/* Ensure we don't write bytes past the end of this packet. */`
		a3a04f	`+ /*`
		a3a04f	`+ * This already protects us against CVE-2017-12163.`
		a3a04f	`+ */`
		a3a04f	`if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {`
		a3a04f	`reply_nterror(req, NT_STATUS_INVALID_PARAMETER);`
		a3a04f	`error_to_writebrawerr(req);`
		a3a04f	`@@ -4574,6 +4577,11 @@ void reply_writebraw(struct smb_request *req)`
		a3a04f	`exit_server_cleanly("secondary writebraw failed");`
		a3a04f	`}`
		a3a04f
		a3a04f	`+ /*`
		a3a04f	`+ * We are not vulnerable to CVE-2017-12163`
		a3a04f	`+ * here as we are guarenteed to have numtowrite`
		a3a04f	`+ * bytes available - we just read from the client.`
		a3a04f	`+ */`
		a3a04f	`nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);`
		a3a04f	`if (nwritten == -1) {`
		a3a04f	`TALLOC_FREE(buf);`
		a3a04f	`@@ -4647,6 +4655,7 @@ void reply_writeunlock(struct smb_request *req)`
		a3a04f	`connection_struct *conn = req->conn;`
		a3a04f	`ssize_t nwritten = -1;`
		a3a04f	`size_t numtowrite;`
		a3a04f	`+ size_t remaining;`
		a3a04f	`off_t startpos;`
		a3a04f	`const char *data;`
		a3a04f	`NTSTATUS status = NT_STATUS_OK;`
		a3a04f	`@@ -4679,6 +4688,17 @@ void reply_writeunlock(struct smb_request *req)`
		a3a04f	`startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);`
		a3a04f	`data = (const char *)req->buf + 3;`
		a3a04f
		a3a04f	`+ /*`
		a3a04f	`+ * Ensure client isn't asking us to write more than`
		a3a04f	`+ * they sent. CVE-2017-12163.`
		a3a04f	`+ */`
		a3a04f	`+ remaining = smbreq_bufrem(req, data);`
		a3a04f	`+ if (numtowrite > remaining) {`
		a3a04f	`+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);`
		a3a04f	`+ END_PROFILE(SMBwriteunlock);`
		a3a04f	`+ return;`
		a3a04f	`+ }`
		a3a04f	`+`
		a3a04f	`if (!fsp->print_file && numtowrite > 0) {`
		a3a04f	`init_strict_lock_struct(fsp, (uint64_t)req->smbpid,`
		a3a04f	`(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,`
		a3a04f	`@@ -4756,6 +4776,7 @@ void reply_write(struct smb_request *req)`
		a3a04f	`{`
		a3a04f	`connection_struct *conn = req->conn;`
		a3a04f	`size_t numtowrite;`
		a3a04f	`+ size_t remaining;`
		a3a04f	`ssize_t nwritten = -1;`
		a3a04f	`off_t startpos;`
		a3a04f	`const char *data;`
		a3a04f	`@@ -4796,6 +4817,17 @@ void reply_write(struct smb_request *req)`
		a3a04f	`startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);`
		a3a04f	`data = (const char *)req->buf + 3;`
		a3a04f
		a3a04f	`+ /*`
		a3a04f	`+ * Ensure client isn't asking us to write more than`
		a3a04f	`+ * they sent. CVE-2017-12163.`
		a3a04f	`+ */`
		a3a04f	`+ remaining = smbreq_bufrem(req, data);`
		a3a04f	`+ if (numtowrite > remaining) {`
		a3a04f	`+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);`
		a3a04f	`+ END_PROFILE(SMBwrite);`
		a3a04f	`+ return;`
		a3a04f	`+ }`
		a3a04f	`+`
		a3a04f	`if (!fsp->print_file) {`
		a3a04f	`init_strict_lock_struct(fsp, (uint64_t)req->smbpid,`
		a3a04f	`(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,`
		a3a04f	`@@ -5018,6 +5050,9 @@ void reply_write_and_X(struct smb_request *req)`
		a3a04f	`goto out;`
		a3a04f	`}`
		a3a04f	`} else {`
		a3a04f	`+ /*`
		a3a04f	`+ * This already protects us against CVE-2017-12163.`
		a3a04f	`+ */`
		a3a04f	`if (smb_doff > smblen \|\| smb_doff + numtowrite < numtowrite \|\|`
		a3a04f	`smb_doff + numtowrite > smblen) {`
		a3a04f	`reply_nterror(req, NT_STATUS_INVALID_PARAMETER);`
		a3a04f	`@@ -5444,6 +5479,7 @@ void reply_writeclose(struct smb_request *req)`
		a3a04f	`{`
		a3a04f	`connection_struct *conn = req->conn;`
		a3a04f	`size_t numtowrite;`
		a3a04f	`+ size_t remaining;`
		a3a04f	`ssize_t nwritten = -1;`
		a3a04f	`NTSTATUS close_status = NT_STATUS_OK;`
		a3a04f	`off_t startpos;`
		a3a04f	`@@ -5477,6 +5513,17 @@ void reply_writeclose(struct smb_request *req)`
		a3a04f	`mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));`
		a3a04f	`data = (const char *)req->buf + 1;`
		a3a04f
		a3a04f	`+ /*`
		a3a04f	`+ * Ensure client isn't asking us to write more than`
		a3a04f	`+ * they sent. CVE-2017-12163.`
		a3a04f	`+ */`
		a3a04f	`+ remaining = smbreq_bufrem(req, data);`
		a3a04f	`+ if (numtowrite > remaining) {`
		a3a04f	`+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);`
		a3a04f	`+ END_PROFILE(SMBwriteclose);`
		a3a04f	`+ return;`
		a3a04f	`+ }`
		a3a04f	`+`
		a3a04f	`if (fsp->print_file == NULL) {`
		a3a04f	`init_strict_lock_struct(fsp, (uint64_t)req->smbpid,`
		a3a04f	`(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,`
		a3a04f	`@@ -6069,6 +6116,9 @@ void reply_printwrite(struct smb_request *req)`
		a3a04f
		a3a04f	`numtowrite = SVAL(req->buf, 1);`
		a3a04f
		a3a04f	`+ /*`
		a3a04f	`+ * This already protects us against CVE-2017-12163.`
		a3a04f	`+ */`
		a3a04f	`if (req->buflen < numtowrite + 3) {`
		a3a04f	`reply_nterror(req, NT_STATUS_INVALID_PARAMETER);`
		a3a04f	`END_PROFILE(SMBsplwr);`
		a3a04f	`--`
		a3a04f	`1.9.1`
		a3a04f

rpms / samba

Source Code

Blame SOURCES/CVE-2017-12163.patch