The Samba-Bugzilla – Attachment 4758 Details for
Bug 6768
Specifically crafted stream of packets can force smbd into an infinite loop; CVE-2009-2906
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for v3-4-test
v3-4.patch (text/plain), 3.60 KB, created by
Jeremy Allison
on 2009-09-29 13:19:49 UTC
(
hide
)
Description:
Patch for v3-4-test
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2009-09-29 13:19:49 UTC
Size:
3.60 KB
patch
obsolete
>diff --git a/source3/include/smb.h b/source3/include/smb.h >index 7cb8e95..2a3c455 100644 >--- a/source3/include/smb.h >+++ b/source3/include/smb.h >@@ -729,6 +729,7 @@ struct pending_message_list { > struct timed_event *te; > struct smb_perfcount_data pcd; > bool encrypted; >+ bool processed; > DATA_BLOB buf; > DATA_BLOB private_data; > }; >diff --git a/source3/smbd/process.c b/source3/smbd/process.c >index caf9241..b4976f7 100644 >--- a/source3/smbd/process.c >+++ b/source3/smbd/process.c >@@ -412,6 +412,7 @@ static void smbd_deferred_open_timer(struct event_context *ev, > struct pending_message_list *msg = talloc_get_type(private_data, > struct pending_message_list); > TALLOC_CTX *mem_ctx = talloc_tos(); >+ uint16_t mid = SVAL(msg->buf.data,smb_mid); > uint8_t *inbuf; > > inbuf = (uint8_t *)talloc_memdup(mem_ctx, msg->buf.data, >@@ -424,11 +425,21 @@ static void smbd_deferred_open_timer(struct event_context *ev, > /* We leave this message on the queue so the open code can > know this is a retry. */ > DEBUG(5,("smbd_deferred_open_timer: trigger mid %u.\n", >- (unsigned int)SVAL(msg->buf.data,smb_mid))); >+ (unsigned int)mid)); >+ >+ /* Mark the message as processed so this is not >+ * re-processed in error. */ >+ msg->processed = true; > > process_smb(smbd_server_conn, inbuf, > msg->buf.length, 0, > msg->encrypted, &msg->pcd); >+ >+ /* If it's still there and was processed, remove it. */ >+ msg = get_open_deferred_message(mid); >+ if (msg && msg->processed) { >+ remove_deferred_open_smb_message(mid); >+ } > } > > /**************************************************************************** >@@ -460,6 +471,7 @@ static bool push_queued_message(struct smb_request *req, > > msg->request_time = request_time; > msg->encrypted = req->encrypted; >+ msg->processed = false; > SMB_PERFCOUNT_DEFER_OP(&req->pcd, &msg->pcd); > > if (private_data) { >@@ -501,7 +513,7 @@ void remove_deferred_open_smb_message(uint16 mid) > > for (pml = deferred_open_queue; pml; pml = pml->next) { > if (mid == SVAL(pml->buf.data,smb_mid)) { >- DEBUG(10,("remove_sharing_violation_open_smb_message: " >+ DEBUG(10,("remove_deferred_open_smb_message: " > "deleting mid %u len %u\n", > (unsigned int)mid, > (unsigned int)pml->buf.length )); >@@ -531,6 +543,15 @@ void schedule_deferred_open_smb_message(uint16 mid) > if (mid == msg_mid) { > struct timed_event *te; > >+ if (pml->processed) { >+ /* A processed message should not be >+ * rescheduled. */ >+ DEBUG(0,("schedule_deferred_open_smb_message: LOGIC ERROR " >+ "message mid %u was already processed\n", >+ msg_mid )); >+ continue; >+ } >+ > DEBUG(10,("schedule_deferred_open_smb_message: scheduling mid %u\n", > mid )); > >@@ -557,7 +578,7 @@ void schedule_deferred_open_smb_message(uint16 mid) > } > > /**************************************************************************** >- Return true if this mid is on the deferred queue. >+ Return true if this mid is on the deferred queue and was not yet processed. > ****************************************************************************/ > > bool open_was_deferred(uint16 mid) >@@ -565,7 +586,7 @@ bool open_was_deferred(uint16 mid) > struct pending_message_list *pml; > > for (pml = deferred_open_queue; pml; pml = pml->next) { >- if (SVAL(pml->buf.data,smb_mid) == mid) { >+ if (SVAL(pml->buf.data,smb_mid) == mid && !pml->processed) { > return True; > } > } >@@ -1300,7 +1321,6 @@ static connection_struct *switch_message(uint8 type, struct smb_request *req, in > > if (!change_to_user(conn,session_tag)) { > reply_nterror(req, NT_STATUS_DOS(ERRSRV, ERRbaduid)); >- remove_deferred_open_smb_message(req->mid); > return conn; > } >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=4758">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 6768
:
4756
|
4757
| 4758 |
4760
|
4761
|
4762
|
4763
|
4767