The branch, v3-4-ctdb has been updated
via 946de2d0a6a1107bd80758f78b7cc68fd8d20134 (commit)
from 24f67cd3bde4e6e6bff4f503366abb17d3b389da (commit)
http://gitweb.samba.org/?p=obnox/samba-ctdb.git;a=shortlog;h=v3-4-ctdb
- Log -----------------------------------------------------------------
commit 946de2d0a6a1107bd80758f78b7cc68fd8d20134
Author: Jeremy Allison <[email protected]>
Date: Thu Sep 9 15:48:23 2010 +0200
Fix bug #7669.
Fix bug #7669 (buffer overflow in sid_parse() in Samba3 and dom_sid_parse in
Samba4).
CVE-2010-3069:
===========
Description
===========
All current released versions of Samba are vulnerable to
a buffer overrun vulnerability. The sid_parse() function
(and related dom_sid_parse() function in the source4 code)
do not correctly check their input lengths when reading a
binary representation of a Windows SID (Security ID). This
allows a malicious client to send a sid that can overflow
the stack variable that is being used to store the SID in the
Samba smbd server.
A connection to a file share is needed to exploit this
vulnerability, either authenticated or unauthenticated
(guest connection).
(cherry picked from commit df20a300758bc12286820e31fcf573bdfc2147bc)
-----------------------------------------------------------------------
Summary of changes:
libcli/security/dom_sid.c | 4 ++++
libcli/security/dom_sid.h | 4 ++++
source3/lib/util_sid.c | 3 +++
source3/libads/ldap.c | 4 +++-
source3/libsmb/cliquota.c | 4 +++-
source3/smbd/nttrans.c | 17 ++++++++++++++---
6 files changed, 31 insertions(+), 5 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/security/dom_sid.c b/libcli/security/dom_sid.c
index 0c88900..350a14f 100644
--- a/libcli/security/dom_sid.c
+++ b/libcli/security/dom_sid.c
@@ -117,6 +117,10 @@ bool dom_sid_parse(const char *sidstr, struct dom_sid *ret)
if (sidstr[i] == '-') num_sub_auths++;
}
+ if (num_sub_auths > MAXSUBAUTHS) {
+ return false;
+ }
+
ret->sid_rev_num = rev;
ret->id_auth[0] = 0;
ret->id_auth[1] = 0;
diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h
index e892535..748e009 100644
--- a/libcli/security/dom_sid.h
+++ b/libcli/security/dom_sid.h
@@ -40,5 +40,9 @@ bool dom_sid_in_domain(const struct dom_sid *domain_sid,
const struct dom_sid *sid);
char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid);
+#ifndef MAXSUBAUTHS
+#define MAXSUBAUTHS 15 /* max sub authorities in a SID */
+#endif
+
#endif /*_DOM_SID_H_*/
diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c
index 163c6c2..130e257 100644
--- a/source3/lib/util_sid.c
+++ b/source3/lib/util_sid.c
@@ -408,6 +408,9 @@ bool sid_parse(const char *inbuf, size_t len, DOM_SID *sid)
sid->sid_rev_num = CVAL(inbuf, 0);
sid->num_auths = CVAL(inbuf, 1);
+ if (sid->num_auths > MAXSUBAUTHS) {
+ return false;
+ }
memcpy(sid->id_auth, inbuf+2, 6);
if (len < 8 + sid->num_auths*4)
return False;
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 1fb541d..08b8311 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -2128,7 +2128,9 @@ static void dump_sid(ADS_STRUCT *ads, const char *field,
struct berval **values)
for (i=0; values[i]; i++) {
DOM_SID sid;
fstring tmp;
- sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
+ if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) {
+ continue;
+ }
printf("%s: %s\n", field, sid_to_fstring(tmp, &sid));
}
}
diff --git a/source3/libsmb/cliquota.c b/source3/libsmb/cliquota.c
index e40dac3..2af5b22 100644
--- a/source3/libsmb/cliquota.c
+++ b/source3/libsmb/cliquota.c
@@ -117,7 +117,9 @@ static bool parse_user_quota_record(const char *rdata,
unsigned int rdata_count,
}
#endif /* LARGE_SMB_OFF_T */
- sid_parse(rdata+40,sid_len,&qt.sid);
+ if (!sid_parse(rdata+40,sid_len,&qt.sid)) {
+ return false;
+ }
qt.qtype = SMB_USER_QUOTA_TYPE;
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 2af9a79..fcb2f8d 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -2079,7 +2079,11 @@ static void call_nt_transact_ioctl(connection_struct
*conn,
/* unknown 4 bytes: this is not the length of the sid :-( */
/*unknown = IVAL(pdata,0);*/
- sid_parse(pdata+4,sid_len,&sid);
+ if (!sid_parse(pdata+4,sid_len,&sid)) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
+
DEBUGADD(10, ("for SID: %s\n", sid_string_dbg(&sid)));
if (!sid_to_uid(&sid, &uid)) {
@@ -2335,7 +2339,10 @@ static void
call_nt_transact_get_user_quota(connection_struct *conn,
break;
}
- sid_parse(pdata+8,sid_len,&sid);
+ if (!sid_parse(pdata+8,sid_len,&sid)) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid,
&qt)!=0) {
ZERO_STRUCT(qt);
@@ -2516,7 +2523,11 @@ static void
call_nt_transact_set_user_quota(connection_struct *conn,
}
#endif /* LARGE_SMB_OFF_T */
- sid_parse(pdata+40,sid_len,&sid);
+ if (!sid_parse(pdata+40,sid_len,&sid)) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
+
DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid)));
/* 44 unknown bytes left... */
--
SAMBA-CTDB repository
