The Samba-Bugzilla – Attachment 5951 Details for
Bug 7669
buffer overflow in sid_parse() in Samba3 and dom_sid_parse in Samba4; CVE-2010-3069
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
CVE-2010-3069 patch Samba 3.0
samba-3-0-x.patch (text/plain), 2.60 KB, created by
Lars Müller
on 2010-09-09 05:17:47 UTC
(
hide
)
Description:
CVE-2010-3069 patch Samba 3.0
Filename:
MIME Type:
Creator:
Lars Müller
Created:
2010-09-09 05:17:47 UTC
Size:
2.60 KB
patch
obsolete
>diff --git a/source/lib/util_sid.c b/source/lib/util_sid.c >index 032be9a..2c5a0c7 100644 >--- a/source/lib/util_sid.c >+++ b/source/lib/util_sid.c >@@ -403,6 +403,9 @@ BOOL sid_parse(const char *inbuf, size_t len, DOM_SID *sid) > > sid->sid_rev_num = CVAL(inbuf, 0); > sid->num_auths = CVAL(inbuf, 1); >+ if (sid->num_auths > MAXSUBAUTHS) { >+ return false; >+ } > memcpy(sid->id_auth, inbuf+2, 6); > if (len < 8 + sid->num_auths*4) > return False; >diff --git a/source/libads/ldap.c b/source/libads/ldap.c >index 7479894..eebc0fd 100644 >--- a/source/libads/ldap.c >+++ b/source/libads/ldap.c >@@ -1771,7 +1771,9 @@ static void dump_sid(const char *field, struct berval **values) > int i; > for (i=0; values[i]; i++) { > DOM_SID sid; >- sid_parse(values[i]->bv_val, values[i]->bv_len, &sid); >+ if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) { >+ return; >+ } > printf("%s: %s\n", field, sid_string_static(&sid)); > } > } >diff --git a/source/libsmb/cliquota.c b/source/libsmb/cliquota.c >index 2a47ae2..5721b67 100644 >--- a/source/libsmb/cliquota.c >+++ b/source/libsmb/cliquota.c >@@ -117,7 +117,9 @@ static BOOL parse_user_quota_record(const char *rdata, unsigned int rdata_count, > } > #endif /* LARGE_SMB_OFF_T */ > >- sid_parse(rdata+40,sid_len,&qt.sid); >+ if (!sid_parse(rdata+40,sid_len,&qt.sid)) { >+ return False; >+ } > > qt.qtype = SMB_USER_QUOTA_TYPE; > >diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c >index 2b9d5da..60bab7e 100644 >--- a/source/smbd/nttrans.c >+++ b/source/smbd/nttrans.c >@@ -2424,7 +2424,10 @@ static int call_nt_transact_ioctl(connection_struct *conn, char *inbuf, char *ou > /* unknown 4 bytes: this is not the length of the sid :-( */ > /*unknown = IVAL(pdata,0);*/ > >- sid_parse(pdata+4,sid_len,&sid); >+ if (!sid_parse(pdata+4,sid_len,&sid)) { >+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER); >+ } >+ > DEBUGADD(10,("for SID: %s\n",sid_string_static(&sid))); > > if (!sid_to_uid(&sid, &uid)) { >@@ -2662,7 +2665,9 @@ static int call_nt_transact_get_user_quota(connection_struct *conn, char *inbuf, > break; > } > >- sid_parse(pdata+8,sid_len,&sid); >+ if (!sid_parse(pdata+8,sid_len,&sid)) { >+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER); >+ } > > if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) { > ZERO_STRUCT(qt); >@@ -2828,7 +2833,9 @@ static int call_nt_transact_set_user_quota(connection_struct *conn, char *inbuf, > } > #endif /* LARGE_SMB_OFF_T */ > >- sid_parse(pdata+40,sid_len,&sid); >+ if (!sid_parse(pdata+40,sid_len,&sid)) { >+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER); >+ } > DEBUGADD(8,("SID: %s\n",sid_string_static(&sid))); > > /* 44 unknown bytes left... */
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 7669
: 5951 |
5952
|
5953
|
5954
|
5955