The Samba-Bugzilla – Attachment 13278 Details for
Bug 12836
Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
patch.txt (text/plain), 1.82 KB, created by
Volker Lendecke
on 2017-06-15 06:54:10 UTC
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Volker Lendecke
Created:
2017-06-15 06:54:10 UTC
Size:
1.82 KB
patch
obsolete
>From e988a94cbb03932f5f8d80f0cf03db95378c66b4 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Thu, 15 Jun 2017 06:40:47 +0000 >Subject: [PATCH 1/2] smbd: Don't allow pipe writes in a chain > >Fixes a use-after free > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=12836 >Signed-off-by: Volker Lendecke <vl@samba.org> >--- > source3/smbd/reply.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c >index e6fabad8e00..d57a83d8d05 100644 >--- a/source3/smbd/reply.c >+++ b/source3/smbd/reply.c >@@ -5050,7 +5050,7 @@ void reply_write_and_X(struct smb_request *req) > > /* If it's an IPC, pass off the pipe handler. */ > if (IS_IPC(conn)) { >- if (req->unread_bytes) { >+ if ((req->unread_bytes) || req_is_in_chain(req)) { > reply_nterror(req, NT_STATUS_INVALID_PARAMETER); > goto out; > } >-- >2.11.0 > > >From c245f3061077527bb01f53525d418cf984ec7e5c Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Thu, 15 Jun 2017 06:40:47 +0000 >Subject: [PATCH 2/2] smbd: Don't allow pipe reads in a chain > >No reproducer for any bug yet, but the write&x counterpart does a >use-after-free. Be safe in the read&x side too. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=12836 >Signed-off-by: Volker Lendecke <vl@samba.org> >--- > source3/smbd/reply.c | 5 +++++ > 1 file changed, 5 insertions(+) > >diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c >index d57a83d8d05..078fdf767d9 100644 >--- a/source3/smbd/reply.c >+++ b/source3/smbd/reply.c >@@ -4286,6 +4286,11 @@ void reply_read_and_X(struct smb_request *req) > > /* If it's an IPC, pass off the pipe handler. */ > if (IS_IPC(conn)) { >+ if (req_is_in_chain(req)) { >+ reply_nterror(req, NT_STATUS_ACCESS_DENIED); >+ END_PROFILE(SMBreadX); >+ return; >+ } > reply_pipe_read_and_X(req); > END_PROFILE(SMBreadX); > return; >-- >2.11.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 12836
:
13278
|
13279
|
13288
|
13375
|
13386
|
13397