[SCM] Samba Shared Repository - branch v3-5-stable updated

Karolin Seeger Tue, 14 Sep 2010 03:31:37 -0700

The branch, v3-5-stable has been updated
       via  fbfd370 WHATSNEW: Update release date.
       via  60afcf8 WHATSNEW: Prepare 3.5.5 release notes.
       via  a34c3e9 Fix bug #7669.
      from  160cbf1 WHATSNEW: Start release notes for 3.5.5.


http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-stable


- Log -----------------------------------------------------------------
commit fbfd370cedcc3f29accc6c6999a682ed27e29ce3
Author: Karolin Seeger <ksee...@samba.org>
Date:   Thu Sep 9 16:22:50 2010 +0200

    WHATSNEW: Update release date.
    
    Karolin

commit 60afcf886311b96ea4aa532275a57c7388f0c0fd
Author: Karolin Seeger <ksee...@samba.org>
Date:   Thu Sep 9 15:57:36 2010 +0200

    WHATSNEW: Prepare 3.5.5 release notes.
    
    Karolin

commit a34c3e999bb1ea61da31c5b3e845b19663039358
Author: Jeremy Allison <j...@samba.org>
Date:   Thu Sep 9 15:54:23 2010 +0200

    Fix bug #7669.
    
    Fix bug #7669 (buffer overflow in sid_parse() in Samba3 and dom_sid_parse in
    Samba4).
    
    CVE-2010-3069:
    
    ===========
    Description
    ===========
    
    All current released versions of Samba are vulnerable to
    a buffer overrun vulnerability. The sid_parse() function
    (and related dom_sid_parse() function in the source4 code)
    do not correctly check their input lengths when reading a
    binary representation of a Windows SID (Security ID). This
    allows a malicious client to send a sid that can overflow
    the stack variable that is being used to store the SID in the
    Samba smbd server.
    
    A connection to a file share is needed to exploit this
    vulnerability, either authenticated or unauthenticated
    (guest connection).

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt              |   23 ++++++++++++++++++-----
 libcli/security/dom_sid.c |    4 ++++
 libcli/security/dom_sid.h |    4 ++++
 source3/lib/util_sid.c    |    3 +++
 source3/libads/ldap.c     |    4 +++-
 source3/libsmb/cliquota.c |    4 +++-
 source3/smbd/nttrans.c    |   17 ++++++++++++++---
 7 files changed, 49 insertions(+), 10 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 19f8875..0f52691 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,20 +1,33 @@
                    =============================
                    Release Notes for Samba 3.5.5
-                          , 2010
+                        September 14, 2010
                    =============================
 
 
-This is the latest stable release of Samba 3.5.
+This is a security release in order to address CVE-2010-3069.
 
-Major enhancements in Samba 3.5.5 include:
 
-  o 
+o  CVE-2010-3069:
+   All current released versions of Samba are vulnerable to
+   a buffer overrun vulnerability. The sid_parse() function
+   (and related dom_sid_parse() function in the source4 code)
+   do not correctly check their input lengths when reading a
+   binary representation of a Windows SID (Security ID). This
+   allows a malicious client to send a sid that can overflow
+   the stack variable that is being used to store the SID in the
+   Samba smbd server.
 
 
 Changes since 3.5.4
--------------------
+--------------------
+
+
+o   Jeremy Allison <j...@samba.org>
+    * BUG 7669: Fix for CVE-2010-3069.
 
 
+o   Andrew Bartlett <abart...@samba.org>
+    * BUG 7669: Fix for CVE-2010-3069.
 
 
 ######################################################################
diff --git a/libcli/security/dom_sid.c b/libcli/security/dom_sid.c
index 0c88900..350a14f 100644
--- a/libcli/security/dom_sid.c
+++ b/libcli/security/dom_sid.c
@@ -117,6 +117,10 @@ bool dom_sid_parse(const char *sidstr, struct dom_sid *ret)
                if (sidstr[i] == '-') num_sub_auths++;
        }
 
+       if (num_sub_auths > MAXSUBAUTHS) {
+               return false;
+       }
+
        ret->sid_rev_num = rev;
        ret->id_auth[0] = 0;
        ret->id_auth[1] = 0;
diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h
index e892535..748e009 100644
--- a/libcli/security/dom_sid.h
+++ b/libcli/security/dom_sid.h
@@ -40,5 +40,9 @@ bool dom_sid_in_domain(const struct dom_sid *domain_sid,
                       const struct dom_sid *sid);
 char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid);
 
+#ifndef MAXSUBAUTHS
+#define MAXSUBAUTHS 15 /* max sub authorities in a SID */
+#endif
+
 #endif /*_DOM_SID_H_*/
 
diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c
index 639269c..bea04d8 100644
--- a/source3/lib/util_sid.c
+++ b/source3/lib/util_sid.c
@@ -408,6 +408,9 @@ bool sid_parse(const char *inbuf, size_t len, DOM_SID *sid)
 
        sid->sid_rev_num = CVAL(inbuf, 0);
        sid->num_auths = CVAL(inbuf, 1);
+       if (sid->num_auths > MAXSUBAUTHS) {
+               return false;
+       }
        memcpy(sid->id_auth, inbuf+2, 6);
        if (len < 8 + sid->num_auths*4)
                return False;
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 1fd5aa3..f18ded1 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -2141,7 +2141,9 @@ static void dump_sid(ADS_STRUCT *ads, const char *field, 
struct berval **values)
        for (i=0; values[i]; i++) {
                DOM_SID sid;
                fstring tmp;
-               sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
+               if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) {
+                       continue;
+               }
                printf("%s: %s\n", field, sid_to_fstring(tmp, &sid));
        }
 }
diff --git a/source3/libsmb/cliquota.c b/source3/libsmb/cliquota.c
index a8b1aa1..37e712d 100644
--- a/source3/libsmb/cliquota.c
+++ b/source3/libsmb/cliquota.c
@@ -111,7 +111,9 @@ static bool parse_user_quota_record(const char *rdata, 
unsigned int rdata_count,
        }
 #endif /* LARGE_SMB_OFF_T */
 
-       sid_parse(rdata+40,sid_len,&qt.sid);
+       if (!sid_parse(rdata+40,sid_len,&qt.sid)) {
+               return false;
+       }
 
        qt.qtype = SMB_USER_QUOTA_TYPE;
 
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 6563754..9139213 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -2161,7 +2161,11 @@ static void call_nt_transact_ioctl(connection_struct 
*conn,
                /* unknown 4 bytes: this is not the length of the sid :-(  */
                /*unknown = IVAL(pdata,0);*/
 
-               sid_parse(pdata+4,sid_len,&sid);
+               if (!sid_parse(pdata+4,sid_len,&sid)) {
+                       reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+                       return;
+               }
+
                DEBUGADD(10, ("for SID: %s\n", sid_string_dbg(&sid)));
 
                if (!sid_to_uid(&sid, &uid)) {
@@ -2417,7 +2421,10 @@ static void 
call_nt_transact_get_user_quota(connection_struct *conn,
                                break;
                        }
 
-                       sid_parse(pdata+8,sid_len,&sid);
+                       if (!sid_parse(pdata+8,sid_len,&sid)) {
+                               reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+                               return;
+                       }
 
                        if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, 
&qt)!=0) {
                                ZERO_STRUCT(qt);
@@ -2598,7 +2605,11 @@ static void 
call_nt_transact_set_user_quota(connection_struct *conn,
        }
 #endif /* LARGE_SMB_OFF_T */
 
-       sid_parse(pdata+40,sid_len,&sid);
+       if (!sid_parse(pdata+40,sid_len,&sid)) {
+               reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+               return;
+       }
+
        DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid)));
 
        /* 44 unknown bytes left... */


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v3-5-stable updated

Reply via email to