The branch, v3-5-stable has been updated via fbfd370 WHATSNEW: Update release date. via 60afcf8 WHATSNEW: Prepare 3.5.5 release notes. via a34c3e9 Fix bug #7669. from 160cbf1 WHATSNEW: Start release notes for 3.5.5.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-stable - Log ----------------------------------------------------------------- commit fbfd370cedcc3f29accc6c6999a682ed27e29ce3 Author: Karolin Seeger <ksee...@samba.org> Date: Thu Sep 9 16:22:50 2010 +0200 WHATSNEW: Update release date. Karolin commit 60afcf886311b96ea4aa532275a57c7388f0c0fd Author: Karolin Seeger <ksee...@samba.org> Date: Thu Sep 9 15:57:36 2010 +0200 WHATSNEW: Prepare 3.5.5 release notes. Karolin commit a34c3e999bb1ea61da31c5b3e845b19663039358 Author: Jeremy Allison <j...@samba.org> Date: Thu Sep 9 15:54:23 2010 +0200 Fix bug #7669. Fix bug #7669 (buffer overflow in sid_parse() in Samba3 and dom_sid_parse in Samba4). CVE-2010-3069: =========== Description =========== All current released versions of Samba are vulnerable to a buffer overrun vulnerability. The sid_parse() function (and related dom_sid_parse() function in the source4 code) do not correctly check their input lengths when reading a binary representation of a Windows SID (Security ID). This allows a malicious client to send a sid that can overflow the stack variable that is being used to store the SID in the Samba smbd server. A connection to a file share is needed to exploit this vulnerability, either authenticated or unauthenticated (guest connection). ----------------------------------------------------------------------- Summary of changes: WHATSNEW.txt | 23 ++++++++++++++++++----- libcli/security/dom_sid.c | 4 ++++ libcli/security/dom_sid.h | 4 ++++ source3/lib/util_sid.c | 3 +++ source3/libads/ldap.c | 4 +++- source3/libsmb/cliquota.c | 4 +++- source3/smbd/nttrans.c | 17 ++++++++++++++--- 7 files changed, 49 insertions(+), 10 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 19f8875..0f52691 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,20 +1,33 @@ ============================= Release Notes for Samba 3.5.5 - , 2010 + September 14, 2010 ============================= -This is the latest stable release of Samba 3.5. +This is a security release in order to address CVE-2010-3069. -Major enhancements in Samba 3.5.5 include: - o +o CVE-2010-3069: + All current released versions of Samba are vulnerable to + a buffer overrun vulnerability. The sid_parse() function + (and related dom_sid_parse() function in the source4 code) + do not correctly check their input lengths when reading a + binary representation of a Windows SID (Security ID). This + allows a malicious client to send a sid that can overflow + the stack variable that is being used to store the SID in the + Samba smbd server. Changes since 3.5.4 -------------------- +-------------------- + + +o Jeremy Allison <j...@samba.org> + * BUG 7669: Fix for CVE-2010-3069. +o Andrew Bartlett <abart...@samba.org> + * BUG 7669: Fix for CVE-2010-3069. ###################################################################### diff --git a/libcli/security/dom_sid.c b/libcli/security/dom_sid.c index 0c88900..350a14f 100644 --- a/libcli/security/dom_sid.c +++ b/libcli/security/dom_sid.c @@ -117,6 +117,10 @@ bool dom_sid_parse(const char *sidstr, struct dom_sid *ret) if (sidstr[i] == '-') num_sub_auths++; } + if (num_sub_auths > MAXSUBAUTHS) { + return false; + } + ret->sid_rev_num = rev; ret->id_auth[0] = 0; ret->id_auth[1] = 0; diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h index e892535..748e009 100644 --- a/libcli/security/dom_sid.h +++ b/libcli/security/dom_sid.h @@ -40,5 +40,9 @@ bool dom_sid_in_domain(const struct dom_sid *domain_sid, const struct dom_sid *sid); char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid); +#ifndef MAXSUBAUTHS +#define MAXSUBAUTHS 15 /* max sub authorities in a SID */ +#endif + #endif /*_DOM_SID_H_*/ diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 639269c..bea04d8 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -408,6 +408,9 @@ bool sid_parse(const char *inbuf, size_t len, DOM_SID *sid) sid->sid_rev_num = CVAL(inbuf, 0); sid->num_auths = CVAL(inbuf, 1); + if (sid->num_auths > MAXSUBAUTHS) { + return false; + } memcpy(sid->id_auth, inbuf+2, 6); if (len < 8 + sid->num_auths*4) return False; diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 1fd5aa3..f18ded1 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -2141,7 +2141,9 @@ static void dump_sid(ADS_STRUCT *ads, const char *field, struct berval **values) for (i=0; values[i]; i++) { DOM_SID sid; fstring tmp; - sid_parse(values[i]->bv_val, values[i]->bv_len, &sid); + if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) { + continue; + } printf("%s: %s\n", field, sid_to_fstring(tmp, &sid)); } } diff --git a/source3/libsmb/cliquota.c b/source3/libsmb/cliquota.c index a8b1aa1..37e712d 100644 --- a/source3/libsmb/cliquota.c +++ b/source3/libsmb/cliquota.c @@ -111,7 +111,9 @@ static bool parse_user_quota_record(const char *rdata, unsigned int rdata_count, } #endif /* LARGE_SMB_OFF_T */ - sid_parse(rdata+40,sid_len,&qt.sid); + if (!sid_parse(rdata+40,sid_len,&qt.sid)) { + return false; + } qt.qtype = SMB_USER_QUOTA_TYPE; diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index 6563754..9139213 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -2161,7 +2161,11 @@ static void call_nt_transact_ioctl(connection_struct *conn, /* unknown 4 bytes: this is not the length of the sid :-( */ /*unknown = IVAL(pdata,0);*/ - sid_parse(pdata+4,sid_len,&sid); + if (!sid_parse(pdata+4,sid_len,&sid)) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + return; + } + DEBUGADD(10, ("for SID: %s\n", sid_string_dbg(&sid))); if (!sid_to_uid(&sid, &uid)) { @@ -2417,7 +2421,10 @@ static void call_nt_transact_get_user_quota(connection_struct *conn, break; } - sid_parse(pdata+8,sid_len,&sid); + if (!sid_parse(pdata+8,sid_len,&sid)) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + return; + } if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) { ZERO_STRUCT(qt); @@ -2598,7 +2605,11 @@ static void call_nt_transact_set_user_quota(connection_struct *conn, } #endif /* LARGE_SMB_OFF_T */ - sid_parse(pdata+40,sid_len,&sid); + if (!sid_parse(pdata+40,sid_len,&sid)) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + return; + } + DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid))); /* 44 unknown bytes left... */ -- Samba Shared Repository