This is a security update of Samba 3.0.28a, that address CVE-2008-1105.

Approved by:	shaun (mentor, implicit)
Security:	CVE-2008-1105

2 files changed, 188 insertions, 1 deletions

diff --git a/net/samba3/Makefile b/net/samba3/Makefile
index 8a5c95c285b6..16e8df9da7b3 100644
--- a/net/samba3/Makefile
+++ b/net/samba3/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=		samba
 PORTVERSION?=		3.0.28a
-PORTREVISION=		0
+PORTREVISION=		1
 PORTEPOCH?=		1
 CATEGORIES?=		net
 MASTER_SITES=		${MASTER_SITE_SAMBA}
diff --git a/net/samba3/files/patch-CVE-2008-1105 b/net/samba3/files/patch-CVE-2008-1105
new file mode 100644
index 000000000000..74f4a6b2e684
--- /dev/null
+++ b/net/samba3/files/patch-CVE-2008-1105
@@ -0,0 +1,187 @@
+commit 7e191387d64de2c965fc2c999bc7d1ccf4aae010
+Author: Gerald W. Carter <jerry@samba.org>
+Date:   Wed May 28 07:30:19 2008 -0500
+
+    Security: Patche for CVE-2008-1105.
+    
+        -- Summary --
+        Specifically crafted SMB responses can result
+        in a heap overflow in the Samba client code.
+        Because the server process, smbd, can itself
+        act as a client during operations such as
+        printer notification and domain authentication,
+        this issue affects both Samba client and server
+        installations.
+    
+    Ensure that we specify the buffer size used to store incoming SMB
+    packets.  This bug was originally introduced in Samba 2.2.4.  Patch from
+    Jeremy Allison.
+
+diff --git client/client.c client/client.c
+index 3f96f63..e87623a 100644
+--- client/client.c
++++ client/client.c
+@@ -3626,7 +3626,7 @@ static void readline_callback(void)
+ 	   session keepalives and then drop them here.
+ 	*/
+ 	if (FD_ISSET(cli->fd,&fds)) {
+-		if (!receive_smb(cli->fd,cli->inbuf,0)) {
++		if (!receive_smb(cli->fd,cli->inbuf,cli->bufsize,0)) {
+ 			DEBUG(0, ("Read from server failed, maybe it closed the "
+ 				"connection\n"));
+ 			return;
+diff --git client/smbctool.c client/smbctool.c
+index 2063418..a18505b 100644
+--- client/smbctool.c
++++ client/smbctool.c
+@@ -3304,7 +3304,7 @@ static void readline_callback(void)
+ 	   session keepalives and then drop them here.
+ 	*/
+ 	if (FD_ISSET(cli->fd,&fds)) {
+-		receive_smb(cli->fd,cli->inbuf,0);
++		receive_smb(cli->fd,cli->inbuf,cli->bufsize,0);
+ 		goto again;
+ 	}
+ 	  
+diff --git lib/util_sock.c lib/util_sock.c
+index 94c5e82..4715ca7 100644
+--- lib/util_sock.c
++++ lib/util_sock.c
+@@ -654,14 +654,13 @@ ssize_t read_smb_length(int fd, char *inbuf, unsigned int timeout)
+ }
+ 
+ /****************************************************************************
+- Read an smb from a fd. Note that the buffer *MUST* be of size
+- BUFFER_SIZE+SAFETY_MARGIN.
++ Read an smb from a fd. 
+  The timeout is in milliseconds. 
+  This function will return on receipt of a session keepalive packet.
+  Doesn't check the MAC on signed packets.
+ ****************************************************************************/
+ 
+-BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout)
++BOOL receive_smb_raw(int fd, char *buffer, size_t buflen, unsigned int timeout)
+ {
+ 	ssize_t len,ret;
+ 
+@@ -682,25 +681,18 @@ BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout)
+ 		return False;
+ 	}
+ 
+-	/*
+-	 * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
+-	 * of header. Don't print the error if this fits.... JRA.
+-	 */
+-
+-	if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
++	if (len > buflen) {
+ 		DEBUG(0,("Invalid packet length! (%lu bytes).\n",(unsigned long)len));
+-		if (len > BUFFER_SIZE + (SAFETY_MARGIN/2)) {
+ 
+-			/*
+-			 * Correct fix. smb_read_error may have already been
+-			 * set. Only set it here if not already set. Global
+-			 * variables still suck :-). JRA.
+-			 */
++		/*
++		 * smb_read_error may have already been
++		 * set. Only set it here if not already set. Global
++		 * variables still suck :-). JRA.
++		 */
+ 
+-			if (smb_read_error == 0)
+-				smb_read_error = READ_ERROR;
+-			return False;
+-		}
++		if (smb_read_error == 0)
++			smb_read_error = READ_ERROR;
++		return False;
+ 	}
+ 
+ 	if(len > 0) {
+@@ -730,9 +722,9 @@ BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout)
+  Checks the MAC on signed packets.
+ ****************************************************************************/
+ 
+-BOOL receive_smb(int fd, char *buffer, unsigned int timeout)
++BOOL receive_smb(int fd, char *buffer, size_t buflen, unsigned int timeout)
+ {
+-	if (!receive_smb_raw(fd, buffer, timeout)) {
++	if (!receive_smb_raw(fd, buffer, buflen, timeout)) {
+ 		return False;
+ 	}
+ 
+diff --git libsmb/clientgen.c libsmb/clientgen.c
+index c6cef08..7d7ab9e 100644
+--- libsmb/clientgen.c
++++ libsmb/clientgen.c
+@@ -44,8 +44,7 @@ int cli_set_port(struct cli_state *cli, int port)
+ }
+ 
+ /****************************************************************************
+- Read an smb from a fd ignoring all keepalive packets. Note that the buffer 
+- *MUST* be of size BUFFER_SIZE+SAFETY_MARGIN.
++ Read an smb from a fd ignoring all keepalive packets.
+  The timeout is in milliseconds
+ 
+  This is exactly the same as receive_smb except that it never returns
+@@ -54,12 +53,12 @@ int cli_set_port(struct cli_state *cli, int port)
+  should never go into a blocking read.
+ ****************************************************************************/
+ 
+-static BOOL client_receive_smb(int fd,char *buffer, unsigned int timeout)
++static BOOL client_receive_smb(int fd,char *buffer, size_t bufsize, unsigned int timeout)
+ {
+ 	BOOL ret;
+ 
+ 	for(;;) {
+-		ret = receive_smb_raw(fd, buffer, timeout);
++		ret = receive_smb_raw(fd, buffer, bufsize, timeout);
+ 
+ 		if (!ret) {
+ 			DEBUG(10,("client_receive_smb failed\n"));
+@@ -88,7 +87,7 @@ BOOL cli_receive_smb(struct cli_state *cli)
+ 		return False; 
+ 
+  again:
+-	ret = client_receive_smb(cli->fd,cli->inbuf,cli->timeout);
++	ret = client_receive_smb(cli->fd,cli->inbuf, cli->bufsize, cli->timeout);
+ 	
+ 	if (ret) {
+ 		/* it might be an oplock break request */
+diff --git smbd/process.c smbd/process.c
+index 8dec719..3d31c29 100644
+--- smbd/process.c
++++ smbd/process.c
+@@ -521,7 +521,8 @@ static BOOL receive_message_or_smb(char *buffer, int buffer_len, int timeout)
+ 		goto again;
+ 	}
+ 
+-	return receive_smb(smbd_server_fd(), buffer, 0);
++	return receive_smb(smbd_server_fd(), buffer,
++			BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE, 0);
+ }
+ 
+ /*
+diff --git utils/smbfilter.c utils/smbfilter.c
+index 97d2223..2152e53 100644
+--- utils/smbfilter.c
++++ utils/smbfilter.c
+@@ -140,7 +140,7 @@ static void filter_child(int c, struct in_addr dest_ip)
+ 		if (num <= 0) continue;
+ 		
+ 		if (c != -1 && FD_ISSET(c, &fds)) {
+-			if (!receive_smb(c, packet, 0)) {
++			if (!receive_smb(c, packet, BUFFER_SIZE, 0)) {
+ 				d_printf("client closed connection\n");
+ 				exit(0);
+ 			}
+@@ -151,7 +151,7 @@ static void filter_child(int c, struct in_addr dest_ip)
+ 			}			
+ 		}
+ 		if (s != -1 && FD_ISSET(s, &fds)) {
+-			if (!receive_smb(s, packet, 0)) {
++			if (!receive_smb(s, packet, BUFFER_SIZE, 0)) {
+ 				d_printf("server closed connection\n");
+ 				exit(0);
+ 			}