The Samba-Bugzilla – Attachment 13279 Details for
Bug 12836
Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch with attribution to the bug reporter
patch.txt (text/plain), 1.94 KB, created by
Volker Lendecke
on 2017-06-15 06:57:30 UTC
(
hide
)
Description:
Patch with attribution to the bug reporter
Filename:
MIME Type:
Creator:
Volker Lendecke
Created:
2017-06-15 06:57:30 UTC
Size:
1.94 KB
patch
obsolete
>From 03f77624a72a16c44f6516fe31b161894bd7a592 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Thu, 15 Jun 2017 06:40:47 +0000 >Subject: [PATCH 1/2] smbd: Don't allow pipe writes in a chain > >Fixes a use-after free > >Reported to the Samba Team by Yihan Lian <lianyihan@360.cn>, a security >researcher of Qihoo 360 GearTeam. Thanks a lot! > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=12836 >Signed-off-by: Volker Lendecke <vl@samba.org> >--- > source3/smbd/reply.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c >index e6fabad8e00..d57a83d8d05 100644 >--- a/source3/smbd/reply.c >+++ b/source3/smbd/reply.c >@@ -5050,7 +5050,7 @@ void reply_write_and_X(struct smb_request *req) > > /* If it's an IPC, pass off the pipe handler. */ > if (IS_IPC(conn)) { >- if (req->unread_bytes) { >+ if ((req->unread_bytes) || req_is_in_chain(req)) { > reply_nterror(req, NT_STATUS_INVALID_PARAMETER); > goto out; > } >-- >2.11.0 > > >From 674699b78e860730b8895b8520f83a87c6e94c53 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Thu, 15 Jun 2017 06:40:47 +0000 >Subject: [PATCH 2/2] smbd: Don't allow pipe reads in a chain > >No reproducer for any bug yet, but the write&x counterpart does a >use-after-free. Be safe in the read&x side too. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=12836 >Signed-off-by: Volker Lendecke <vl@samba.org> >--- > source3/smbd/reply.c | 5 +++++ > 1 file changed, 5 insertions(+) > >diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c >index d57a83d8d05..078fdf767d9 100644 >--- a/source3/smbd/reply.c >+++ b/source3/smbd/reply.c >@@ -4286,6 +4286,11 @@ void reply_read_and_X(struct smb_request *req) > > /* If it's an IPC, pass off the pipe handler. */ > if (IS_IPC(conn)) { >+ if (req_is_in_chain(req)) { >+ reply_nterror(req, NT_STATUS_ACCESS_DENIED); >+ END_PROFILE(SMBreadX); >+ return; >+ } > reply_pipe_read_and_X(req); > END_PROFILE(SMBreadX); > return; >-- >2.11.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jra
:
review+
Actions:
View
Attachments on
bug 12836
:
13278
|
13279
|
13288
|
13375
|
13386
|
13397