The Samba-Bugzilla – Attachment 14747 Details for
Bug 13711
[Not Samba] [NETATALK] Unauthenticated remote code execution in Netatalk
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for 2.0.x
netatalk-CVE-2018-1160.patch (text/plain), 2.44 KB, created by
Petr Gajdos
on 2018-12-19 13:57:11 UTC
(
hide
)
Description:
Patch for 2.0.x
Filename:
MIME Type:
Creator:
Petr Gajdos
Created:
2018-12-19 13:57:11 UTC
Size:
2.44 KB
patch
obsolete
>Index: netatalk-2.0.3/libatalk/dsi/dsi_opensess.c >=================================================================== >--- netatalk-2.0.3.orig/libatalk/dsi/dsi_opensess.c 2018-12-18 12:50:13.779890014 +0100 >+++ netatalk-2.0.3/libatalk/dsi/dsi_opensess.c 2018-12-18 14:34:12.128900016 +0100 >@@ -14,24 +14,44 @@ > #include <sys/types.h> > > #include <atalk/dsi.h> >+#include <atalk/util.h> >+#include <atalk/logger.h> > > /* OpenSession. set up the connection */ > void dsi_opensession(DSI *dsi) > { >- u_int32_t i = 0; /* this serves double duty. it must be 4-bytes long */ >+ size_t i = 0; >+ uint32_t servquant; >+ uint8_t cmd; >+ size_t option_len; > > /* parse options */ >- while (i < dsi->cmdlen) { >- switch (dsi->commands[i++]) { >+ while (i + 1 < dsi->cmdlen) { >+ cmd = dsi->commands[i++]; >+ option_len = dsi->commands[i++]; >+ >+ if (i + option_len > dsi->cmdlen) { >+ LOG(log_error, logtype_default, "option %u too large: %zu", >+ cmd, option_len); >+ exit(EXITERR_CLNT); >+ } >+ >+ switch (cmd) { > case DSIOPT_ATTNQUANT: >- memcpy(&dsi->attn_quantum, dsi->commands + i + 1, dsi->commands[i]); >+ if (option_len != sizeof(dsi->attn_quantum)) { >+ LOG(log_error, logtype_default, "option %u bad length: %zu", >+ cmd, option_len); >+ exit(EXITERR_CLNT); >+ } >+ memcpy(&dsi->attn_quantum, &dsi->commands[i], option_len); > dsi->attn_quantum = ntohl(dsi->attn_quantum); > > case DSIOPT_SERVQUANT: /* just ignore these */ > default: >- i += dsi->commands[i] + 1; /* forward past length tag + length */ > break; > } >+ >+ i += option_len; > } > > /* let the client know the server quantum. we don't use the >@@ -39,13 +59,13 @@ void dsi_opensession(DSI *dsi) > dsi->header.dsi_flags = DSIFL_REPLY; > dsi->header.dsi_code = 0; > /* dsi->header.dsi_command = DSIFUNC_OPEN;*/ >- dsi->cmdlen = 2 + sizeof(i); /* length of data. dsi_send uses it. */ >+ dsi->cmdlen = 2 + sizeof(uint32_t); /* length of data. dsi_send uses it. */ > dsi->commands[0] = DSIOPT_SERVQUANT; >- dsi->commands[1] = sizeof(i); >- i = htonl(( dsi->server_quantum < DSI_SERVQUANT_MIN || >+ dsi->commands[1] = sizeof(servquant); >+ servquant = htonl(( dsi->server_quantum < DSI_SERVQUANT_MIN || > dsi->server_quantum > DSI_SERVQUANT_MAX ) ? > DSI_SERVQUANT_DEF : dsi->server_quantum); >- memcpy(dsi->commands + 2, &i, sizeof(i)); >+ memcpy(dsi->commands + 2, &servquant, sizeof(servquant)); > > dsi_send(dsi); > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=14747">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
slow
:
review+
Actions:
View
Attachments on
bug 13711
:
14735
|
14736
|
14737
| 14747 |
14748