The Samba-Bugzilla – Attachment 5762 Details for
Bug 7494
Buffer overrun possible in chain_reply code in 3.3.x and below; CVE-2010-2063
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Proposed patch for 3.3.x.
look (text/plain), 1.06 KB, created by
Jeremy Allison
on 2010-06-07 13:37:15 UTC
(
hide
)
Description:
Proposed patch for 3.3.x.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2010-06-07 13:37:15 UTC
Size:
1.06 KB
patch
obsolete
>diff --git a/source/smbd/process.c b/source/smbd/process.c >index 446b868..403c7c6 100644 >--- a/source/smbd/process.c >+++ b/source/smbd/process.c >@@ -1645,6 +1645,7 @@ void construct_reply_common(const char *inbuf, char *outbuf) > void chain_reply(struct smb_request *req) > { > static char *orig_inbuf; >+ static int orig_size; > > /* > * Dirty little const_discard: We mess with req->inbuf, which is >@@ -1679,13 +1680,24 @@ void chain_reply(struct smb_request *req) > if (chain_size == 0) { > /* this is the first part of the chain */ > orig_inbuf = inbuf; >+ orig_size = size; > } > >+ /* Validate smb_off2 */ >+ if ((smb_off2 < smb_wct - 4) || orig_size < (smb_off2 + 4 - smb_wct)) { >+ exit_server_cleanly("Bad chained packet"); >+ return; >+ } > /* > * We need to save the output the caller added to the chain so that we > * can splice it into the final output buffer later. > */ > >+ if (outsize <= smb_wct) { >+ exit_server_cleanly("Bad chained packet"); >+ return; >+ } >+ > caller_outputlen = outsize - smb_wct; > > caller_output = (char *)memdup(outbuf + smb_wct, caller_outputlen);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=5762">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 7494
: 5762 |
5765