The Samba-Bugzilla – Attachment 13705 Details for
Bug 13092
potential use of uninitialised memory in smb3_validate_negotiate()
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patches to fix validate negotiate info response memory leak and buffer overrun
fix_validate_neginfo_leak_and_buffer_overrun.patchset (text/plain), 2.72 KB, created by
David Disseldorp
on 2017-10-18 23:19:15 UTC
(
hide
)
Description:
patches to fix validate negotiate info response memory leak and buffer overrun
Filename:
MIME Type:
Creator:
David Disseldorp
Created:
2017-10-18 23:19:15 UTC
Size:
2.72 KB
patch
obsolete
>From c2ce58335151d81235a52b09cae3d6a8cd2fe778 Mon Sep 17 00:00:00 2001 >From: David Disseldorp <ddiss@suse.de> >Date: Thu, 19 Oct 2017 00:43:06 +0200 >Subject: [PATCH 1/2] SMB: fix leak of validate negotiate info response buffer > >Fixes: ff1c038addc4 ("Check SMB3 dialects against downgrade attacks") >Signed-off-by: David Disseldorp <ddiss@suse.de> >--- > fs/cifs/smb2pdu.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > >diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c >index 6f0e6343c15e..052ab5dee6b6 100644 >--- a/fs/cifs/smb2pdu.c >+++ b/fs/cifs/smb2pdu.c >@@ -648,7 +648,7 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon) > { > int rc = 0; > struct validate_negotiate_info_req vneg_inbuf; >- struct validate_negotiate_info_rsp *pneg_rsp; >+ struct validate_negotiate_info_rsp *pneg_rsp = NULL; > u32 rsplen; > u32 inbuflen; /* max of 4 dialects */ > >@@ -728,7 +728,7 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon) > > /* relax check since Mac returns max bufsize allowed on ioctl */ > if (rsplen > CIFSMaxBufSize) >- return -EIO; >+ goto err_rsp_free; > } > > /* check validate negotiate info response matches what we got earlier */ >@@ -747,10 +747,13 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon) > > /* validate negotiate successful */ > cifs_dbg(FYI, "validate negotiate info successful\n"); >+ kfree(pneg_rsp); > return 0; > > vneg_out: > cifs_dbg(VFS, "protocol revalidation - security settings mismatch\n"); >+err_rsp_free: >+ kfree(pneg_rsp); > return -EIO; > } > >-- >2.13.6 > > >From 82586902fb4467b068670b1a49cfa6f63bb33312 Mon Sep 17 00:00:00 2001 >From: David Disseldorp <ddiss@suse.de> >Date: Thu, 19 Oct 2017 00:50:11 +0200 >Subject: [PATCH 2/2] SMB: fix validate negotiate info uninitialised memory use > >An undersize validate negotiate info server response causes the client >to use uninitialised memory for struct validate_negotiate_info_rsp >comparisons of Dialect, SecurityMode and/or Capabilities members. > >Link: https://bugzilla.samba.org/show_bug.cgi?id=13092 >Fixes: 7db0a6efdc3e ("SMB3: Work around mount failure when using SMB3 dialect to Macs") >Signed-off-by: David Disseldorp <ddiss@suse.de> >--- > fs/cifs/smb2pdu.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > >diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c >index 052ab5dee6b6..c836de2f79b2 100644 >--- a/fs/cifs/smb2pdu.c >+++ b/fs/cifs/smb2pdu.c >@@ -727,7 +727,8 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon) > rsplen); > > /* relax check since Mac returns max bufsize allowed on ioctl */ >- if (rsplen > CIFSMaxBufSize) >+ if ((rsplen > CIFSMaxBufSize) >+ || (rsplen < sizeof(struct validate_negotiate_info_rsp))) > goto err_rsp_free; > } > >-- >2.13.6 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=13705">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 13092
:
13704
| 13705