From 03f77624a72a16c44f6516fe31b161894bd7a592 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 15 Jun 2017 06:40:47 +0000 Subject: [PATCH 1/2] smbd: Don't allow pipe writes in a chain Fixes a use-after free Reported to the Samba Team by Yihan Lian , a security researcher of Qihoo 360 GearTeam. Thanks a lot! Bug: https://bugzilla.samba.org/show_bug.cgi?id=12836 Signed-off-by: Volker Lendecke --- source3/smbd/reply.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index e6fabad8e00..d57a83d8d05 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -5050,7 +5050,7 @@ void reply_write_and_X(struct smb_request *req) /* If it's an IPC, pass off the pipe handler. */ if (IS_IPC(conn)) { - if (req->unread_bytes) { + if ((req->unread_bytes) || req_is_in_chain(req)) { reply_nterror(req, NT_STATUS_INVALID_PARAMETER); goto out; } -- 2.11.0 From 674699b78e860730b8895b8520f83a87c6e94c53 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 15 Jun 2017 06:40:47 +0000 Subject: [PATCH 2/2] smbd: Don't allow pipe reads in a chain No reproducer for any bug yet, but the write&x counterpart does a use-after-free. Be safe in the read&x side too. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12836 Signed-off-by: Volker Lendecke --- source3/smbd/reply.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index d57a83d8d05..078fdf767d9 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -4286,6 +4286,11 @@ void reply_read_and_X(struct smb_request *req) /* If it's an IPC, pass off the pipe handler. */ if (IS_IPC(conn)) { + if (req_is_in_chain(req)) { + reply_nterror(req, NT_STATUS_ACCESS_DENIED); + END_PROFILE(SMBreadX); + return; + } reply_pipe_read_and_X(req); END_PROFILE(SMBreadX); return; -- 2.11.0