The Samba-Bugzilla – Attachment 15956 Details for
Bug 14366
Malicous SMB1 server can crash libsmbclient
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
14366.patch.txt (text/plain), 7.55 KB, created by
Volker Lendecke
on 2020-05-06 15:58:25 UTC
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Volker Lendecke
Created:
2020-05-06 15:58:25 UTC
Size:
7.55 KB
patch
obsolete
>From b33b7a0aedbd29bb23eb41fea4e378b757c5c32c Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Sat, 2 May 2020 14:54:01 +0200 >Subject: [PATCH 1/4] libsmb: Fix indentation in cli_RNetShareEnum() > >Also remove a level of indentation with a "goto done;" > >Best review with "git show -b", almost no code change > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=14366 >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit ae91d67a247424d4ddc89230f52365558d6ff402) >--- > source3/libsmb/clirap.c | 133 +++++++++++++++++++++------------------- > 1 file changed, 69 insertions(+), 64 deletions(-) > >diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c >index 71c7b97ad54..8171257f6d1 100644 >--- a/source3/libsmb/clirap.c >+++ b/source3/libsmb/clirap.c >@@ -175,6 +175,8 @@ int cli_RNetShareEnum(struct cli_state *cli, void (*fn)(const char *, uint32_t, > unsigned int rdrcnt,rprcnt; > char param[1024]; > int count = -1; >+ bool ok; >+ int res; > > /* now send a SMBtrans command with api RNetShareEnum */ > p = param; >@@ -192,74 +194,77 @@ int cli_RNetShareEnum(struct cli_state *cli, void (*fn)(const char *, uint32_t, > SSVAL(p,2,0xFFE0); > p += 4; > >- if (cli_api(cli, >- param, PTR_DIFF(p,param), 1024, /* Param, length, maxlen */ >- NULL, 0, 0xFFE0, /* data, length, maxlen - Win2k needs a small buffer here too ! */ >- &rparam, &rprcnt, /* return params, length */ >- &rdata, &rdrcnt)) /* return data, length */ >- { >- int res = rparam? SVAL(rparam,0) : -1; >- >- if (res == 0 || res == ERRmoredata) { >- int converter=SVAL(rparam,2); >- int i; >- char *rdata_end = rdata + rdrcnt; >- >- count=SVAL(rparam,4); >- p = rdata; >- >- for (i=0;i<count;i++,p+=20) { >- char *sname; >- int type; >- int comment_offset; >- const char *cmnt; >- const char *p1; >- char *s1, *s2; >- size_t len; >- TALLOC_CTX *frame = talloc_stackframe(); >- >- if (p + 20 > rdata_end) { >- TALLOC_FREE(frame); >- break; >- } >- >- sname = p; >- type = SVAL(p,14); >- comment_offset = (IVAL(p,16) & 0xFFFF) - converter; >- if (comment_offset < 0 || >- comment_offset > (int)rdrcnt) { >- TALLOC_FREE(frame); >- break; >- } >- cmnt = comment_offset?(rdata+comment_offset):""; >- >- /* Work out the comment length. */ >- for (p1 = cmnt, len = 0; *p1 && >- p1 < rdata_end; len++) >- p1++; >- if (!*p1) { >- len++; >- } >- pull_string_talloc(frame,rdata,0, >- &s1,sname,14,STR_ASCII); >- pull_string_talloc(frame,rdata,0, >- &s2,cmnt,len,STR_ASCII); >- if (!s1 || !s2) { >- TALLOC_FREE(frame); >- continue; >- } >- >- fn(s1, type, s2, state); >+ ok = cli_api( >+ cli, >+ param, PTR_DIFF(p,param), 1024, /* Param, length, maxlen */ >+ NULL, 0, 0xFFE0, /* data, length, maxlen - Win2k needs a small buffer here too ! */ >+ &rparam, &rprcnt, /* return params, length */ >+ &rdata, &rdrcnt); /* return data, length */ >+ if (!ok) { >+ DEBUG(4,("NetShareEnum failed\n")); >+ goto done; >+ } >+ >+ res = rparam? SVAL(rparam,0) : -1; >+ >+ if (res == 0 || res == ERRmoredata) { >+ int converter=SVAL(rparam,2); >+ int i; >+ char *rdata_end = rdata + rdrcnt; >+ >+ count=SVAL(rparam,4); >+ p = rdata; >+ >+ for (i=0;i<count;i++,p+=20) { >+ char *sname; >+ int type; >+ int comment_offset; >+ const char *cmnt; >+ const char *p1; >+ char *s1, *s2; >+ size_t len; >+ TALLOC_CTX *frame = talloc_stackframe(); >+ >+ if (p + 20 > rdata_end) { >+ TALLOC_FREE(frame); >+ break; >+ } > >- TALLOC_FREE(frame); >- } >- } else { >- DEBUG(4,("NetShareEnum res=%d\n", res)); >+ sname = p; >+ type = SVAL(p,14); >+ comment_offset = (IVAL(p,16) & 0xFFFF) - converter; >+ if (comment_offset < 0 || >+ comment_offset > (int)rdrcnt) { >+ TALLOC_FREE(frame); >+ break; > } >- } else { >- DEBUG(4,("NetShareEnum failed\n")); >+ cmnt = comment_offset?(rdata+comment_offset):""; >+ >+ /* Work out the comment length. */ >+ for (p1 = cmnt, len = 0; *p1 && >+ p1 < rdata_end; len++) >+ p1++; >+ if (!*p1) { >+ len++; >+ } >+ pull_string_talloc(frame,rdata,0, >+ &s1,sname,14,STR_ASCII); >+ pull_string_talloc(frame,rdata,0, >+ &s2,cmnt,len,STR_ASCII); >+ if (!s1 || !s2) { >+ TALLOC_FREE(frame); >+ continue; >+ } >+ >+ fn(s1, type, s2, state); >+ >+ TALLOC_FREE(frame); > } >+ } else { >+ DEBUG(4,("NetShareEnum res=%d\n", res)); >+ } > >+done: > SAFE_FREE(rparam); > SAFE_FREE(rdata); > >-- >2.20.1 > > >From 019b1b34a453410a4965ae133401cb5d232c87f2 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Sat, 2 May 2020 14:59:07 +0200 >Subject: [PATCH 2/4] libsmb: Protect cli_RNetShareEnum() against rprcnt<6 > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=14366 >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 4a9fe4efefa67d6f24efcbe29722a43fc4859fdc) >--- > source3/libsmb/clirap.c | 5 +++++ > 1 file changed, 5 insertions(+) > >diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c >index 8171257f6d1..5e8b7bcecd1 100644 >--- a/source3/libsmb/clirap.c >+++ b/source3/libsmb/clirap.c >@@ -205,6 +205,11 @@ int cli_RNetShareEnum(struct cli_state *cli, void (*fn)(const char *, uint32_t, > goto done; > } > >+ if (rprcnt < 6) { >+ DBG_ERR("Got invalid result: rprcnt=%u\n", rprcnt); >+ goto done; >+ } >+ > res = rparam? SVAL(rparam,0) : -1; > > if (res == 0 || res == ERRmoredata) { >-- >2.20.1 > > >From 22b1937488f9a1c43c48b76b706fd868b19bf8e5 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Sat, 2 May 2020 15:10:14 +0200 >Subject: [PATCH 3/4] libsmb: Protect cli_RNetServerEnum against rprcnt<6 > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=14366 >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit ce8b70df7bd63e96723b8e8dc864f1690f5fad7b) >--- > source3/libsmb/clirap.c | 7 +++++++ > 1 file changed, 7 insertions(+) > >diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c >index 5e8b7bcecd1..b3e82440c10 100644 >--- a/source3/libsmb/clirap.c >+++ b/source3/libsmb/clirap.c >@@ -373,6 +373,13 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32_t stype, > } > > rdata_end = rdata + rdrcnt; >+ >+ if (rprcnt < 6) { >+ DBG_ERR("Got invalid result: rprcnt=%u\n", rprcnt); >+ res = -1; >+ break; >+ } >+ > res = rparam ? SVAL(rparam,0) : -1; > > if (res == 0 || res == ERRmoredata || >-- >2.20.1 > > >From 4bf2e3c416cb0e33fb98b030a2292c0ef935676c Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Sat, 2 May 2020 15:18:07 +0200 >Subject: [PATCH 4/4] libsmb: Protect cli_oem_change_password() from rprcnt<2 > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=14366 >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> > >Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> >Autobuild-Date(master): Tue May 5 17:12:04 UTC 2020 on sn-devel-184 > >(cherry picked from commit f80c97cb8da64f3cd9904e2e1fd43c29b691166d) >--- > source3/libsmb/clirap.c | 6 ++++++ > 1 file changed, 6 insertions(+) > >diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c >index b3e82440c10..1be331afda6 100644 >--- a/source3/libsmb/clirap.c >+++ b/source3/libsmb/clirap.c >@@ -603,10 +603,16 @@ bool cli_oem_change_password(struct cli_state *cli, const char *user, const char > return False; > } > >+ if (rdrcnt < 2) { >+ cli->rap_error = ERRbadformat; >+ goto done; >+ } >+ > if (rparam) { > cli->rap_error = SVAL(rparam,0); > } > >+done: > SAFE_FREE(rparam); > SAFE_FREE(rdata); > >-- >2.20.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=15956">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
asn
:
review+
Actions:
View
Attachments on
bug 14366
: 15956