diff options
Diffstat (limited to 'net/samba3/files/patch-CVE-2008-1105')
| -rw-r--r-- | net/samba3/files/patch-CVE-2008-1105 | 187 |
1 files changed, 0 insertions, 187 deletions
diff --git a/net/samba3/files/patch-CVE-2008-1105 b/net/samba3/files/patch-CVE-2008-1105 deleted file mode 100644 index 74f4a6b2e684..000000000000 --- a/net/samba3/files/patch-CVE-2008-1105 +++ /dev/null @@ -1,187 +0,0 @@ -commit 7e191387d64de2c965fc2c999bc7d1ccf4aae010 -Author: Gerald W. Carter <jerry@samba.org> -Date: Wed May 28 07:30:19 2008 -0500 - - Security: Patche for CVE-2008-1105. - - -- Summary -- - Specifically crafted SMB responses can result - in a heap overflow in the Samba client code. - Because the server process, smbd, can itself - act as a client during operations such as - printer notification and domain authentication, - this issue affects both Samba client and server - installations. - - Ensure that we specify the buffer size used to store incoming SMB - packets. This bug was originally introduced in Samba 2.2.4. Patch from - Jeremy Allison. - -diff --git client/client.c client/client.c -index 3f96f63..e87623a 100644 ---- client/client.c -+++ client/client.c -@@ -3626,7 +3626,7 @@ static void readline_callback(void) - session keepalives and then drop them here. - */ - if (FD_ISSET(cli->fd,&fds)) { -- if (!receive_smb(cli->fd,cli->inbuf,0)) { -+ if (!receive_smb(cli->fd,cli->inbuf,cli->bufsize,0)) { - DEBUG(0, ("Read from server failed, maybe it closed the " - "connection\n")); - return; -diff --git client/smbctool.c client/smbctool.c -index 2063418..a18505b 100644 ---- client/smbctool.c -+++ client/smbctool.c -@@ -3304,7 +3304,7 @@ static void readline_callback(void) - session keepalives and then drop them here. - */ - if (FD_ISSET(cli->fd,&fds)) { -- receive_smb(cli->fd,cli->inbuf,0); -+ receive_smb(cli->fd,cli->inbuf,cli->bufsize,0); - goto again; - } - -diff --git lib/util_sock.c lib/util_sock.c -index 94c5e82..4715ca7 100644 ---- lib/util_sock.c -+++ lib/util_sock.c -@@ -654,14 +654,13 @@ ssize_t read_smb_length(int fd, char *inbuf, unsigned int timeout) - } - - /**************************************************************************** -- Read an smb from a fd. Note that the buffer *MUST* be of size -- BUFFER_SIZE+SAFETY_MARGIN. -+ Read an smb from a fd. - The timeout is in milliseconds. - This function will return on receipt of a session keepalive packet. - Doesn't check the MAC on signed packets. - ****************************************************************************/ - --BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout) -+BOOL receive_smb_raw(int fd, char *buffer, size_t buflen, unsigned int timeout) - { - ssize_t len,ret; - -@@ -682,25 +681,18 @@ BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout) - return False; - } - -- /* -- * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes -- * of header. Don't print the error if this fits.... JRA. -- */ -- -- if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) { -+ if (len > buflen) { - DEBUG(0,("Invalid packet length! (%lu bytes).\n",(unsigned long)len)); -- if (len > BUFFER_SIZE + (SAFETY_MARGIN/2)) { - -- /* -- * Correct fix. smb_read_error may have already been -- * set. Only set it here if not already set. Global -- * variables still suck :-). JRA. -- */ -+ /* -+ * smb_read_error may have already been -+ * set. Only set it here if not already set. Global -+ * variables still suck :-). JRA. -+ */ - -- if (smb_read_error == 0) -- smb_read_error = READ_ERROR; -- return False; -- } -+ if (smb_read_error == 0) -+ smb_read_error = READ_ERROR; -+ return False; - } - - if(len > 0) { -@@ -730,9 +722,9 @@ BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout) - Checks the MAC on signed packets. - ****************************************************************************/ - --BOOL receive_smb(int fd, char *buffer, unsigned int timeout) -+BOOL receive_smb(int fd, char *buffer, size_t buflen, unsigned int timeout) - { -- if (!receive_smb_raw(fd, buffer, timeout)) { -+ if (!receive_smb_raw(fd, buffer, buflen, timeout)) { - return False; - } - -diff --git libsmb/clientgen.c libsmb/clientgen.c -index c6cef08..7d7ab9e 100644 ---- libsmb/clientgen.c -+++ libsmb/clientgen.c -@@ -44,8 +44,7 @@ int cli_set_port(struct cli_state *cli, int port) - } - - /**************************************************************************** -- Read an smb from a fd ignoring all keepalive packets. Note that the buffer -- *MUST* be of size BUFFER_SIZE+SAFETY_MARGIN. -+ Read an smb from a fd ignoring all keepalive packets. - The timeout is in milliseconds - - This is exactly the same as receive_smb except that it never returns -@@ -54,12 +53,12 @@ int cli_set_port(struct cli_state *cli, int port) - should never go into a blocking read. - ****************************************************************************/ - --static BOOL client_receive_smb(int fd,char *buffer, unsigned int timeout) -+static BOOL client_receive_smb(int fd,char *buffer, size_t bufsize, unsigned int timeout) - { - BOOL ret; - - for(;;) { -- ret = receive_smb_raw(fd, buffer, timeout); -+ ret = receive_smb_raw(fd, buffer, bufsize, timeout); - - if (!ret) { - DEBUG(10,("client_receive_smb failed\n")); -@@ -88,7 +87,7 @@ BOOL cli_receive_smb(struct cli_state *cli) - return False; - - again: -- ret = client_receive_smb(cli->fd,cli->inbuf,cli->timeout); -+ ret = client_receive_smb(cli->fd,cli->inbuf, cli->bufsize, cli->timeout); - - if (ret) { - /* it might be an oplock break request */ -diff --git smbd/process.c smbd/process.c -index 8dec719..3d31c29 100644 ---- smbd/process.c -+++ smbd/process.c -@@ -521,7 +521,8 @@ static BOOL receive_message_or_smb(char *buffer, int buffer_len, int timeout) - goto again; - } - -- return receive_smb(smbd_server_fd(), buffer, 0); -+ return receive_smb(smbd_server_fd(), buffer, -+ BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE, 0); - } - - /* -diff --git utils/smbfilter.c utils/smbfilter.c -index 97d2223..2152e53 100644 ---- utils/smbfilter.c -+++ utils/smbfilter.c -@@ -140,7 +140,7 @@ static void filter_child(int c, struct in_addr dest_ip) - if (num <= 0) continue; - - if (c != -1 && FD_ISSET(c, &fds)) { -- if (!receive_smb(c, packet, 0)) { -+ if (!receive_smb(c, packet, BUFFER_SIZE, 0)) { - d_printf("client closed connection\n"); - exit(0); - } -@@ -151,7 +151,7 @@ static void filter_child(int c, struct in_addr dest_ip) - } - } - if (s != -1 && FD_ISSET(s, &fds)) { -- if (!receive_smb(s, packet, 0)) { -+ if (!receive_smb(s, packet, BUFFER_SIZE, 0)) { - d_printf("server closed connection\n"); - exit(0); - } |