The Samba-Bugzilla – Attachment 5952 Details for
Bug 7669
buffer overflow in sid_parse() in Samba3 and dom_sid_parse in Samba4; CVE-2010-3069
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
CVE-2010-3069 patch Samba 3.2
samba-3-2-x.patch (text/plain), 2.62 KB, created by
Lars Müller
on 2010-09-09 05:18:11 UTC
(
hide
)
Description:
CVE-2010-3069 patch Samba 3.2
Filename:
MIME Type:
Creator:
Lars Müller
Created:
2010-09-09 05:18:11 UTC
Size:
2.62 KB
patch
obsolete
>diff --git a/source/lib/util_sid.c b/source/lib/util_sid.c >index f656bb1..aa49b86 100644 >--- a/source/lib/util_sid.c >+++ b/source/lib/util_sid.c >@@ -408,6 +408,9 @@ bool sid_parse(const char *inbuf, size_t len, DOM_SID *sid) > > sid->sid_rev_num = CVAL(inbuf, 0); > sid->num_auths = CVAL(inbuf, 1); >+ if (sid->num_auths > MAXSUBAUTHS) { >+ return false; >+ } > memcpy(sid->id_auth, inbuf+2, 6); > if (len < 8 + sid->num_auths*4) > return False; >diff --git a/source/libads/ldap.c b/source/libads/ldap.c >index d8a1178..c3192c1 100644 >--- a/source/libads/ldap.c >+++ b/source/libads/ldap.c >@@ -1942,7 +1942,9 @@ static void dump_sid(ADS_STRUCT *ads, const char *field, struct berval **values) > for (i=0; values[i]; i++) { > DOM_SID sid; > fstring tmp; >- sid_parse(values[i]->bv_val, values[i]->bv_len, &sid); >+ if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) { >+ continue; >+ } > printf("%s: %s\n", field, sid_to_fstring(tmp, &sid)); > } > } >diff --git a/source/libsmb/cliquota.c b/source/libsmb/cliquota.c >index f369d28..08c66cf 100644 >--- a/source/libsmb/cliquota.c >+++ b/source/libsmb/cliquota.c >@@ -117,7 +117,9 @@ static bool parse_user_quota_record(const char *rdata, unsigned int rdata_count, > } > #endif /* LARGE_SMB_OFF_T */ > >- sid_parse(rdata+40,sid_len,&qt.sid); >+ if (!sid_parse(rdata+40,sid_len,&qt.sid)) { >+ return False; >+ } > > qt.qtype = SMB_USER_QUOTA_TYPE; > >diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c >index 920b0ec..94dadfc 100644 >--- a/source/smbd/nttrans.c >+++ b/source/smbd/nttrans.c >@@ -1990,7 +1990,11 @@ static void call_nt_transact_ioctl(connection_struct *conn, > /* unknown 4 bytes: this is not the length of the sid :-( */ > /*unknown = IVAL(pdata,0);*/ > >- sid_parse(pdata+4,sid_len,&sid); >+ if (!sid_parse(pdata+4,sid_len,&sid)) { >+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER); >+ return; >+ } >+ > DEBUGADD(10, ("for SID: %s\n", sid_string_dbg(&sid))); > > if (!sid_to_uid(&sid, &uid)) { >@@ -2245,7 +2249,10 @@ static void call_nt_transact_get_user_quota(connection_struct *conn, > break; > } > >- sid_parse(pdata+8,sid_len,&sid); >+ if (!sid_parse(pdata+8,sid_len,&sid)) { >+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER); >+ return; >+ } > > if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) { > ZERO_STRUCT(qt); >@@ -2425,7 +2432,11 @@ static void call_nt_transact_set_user_quota(connection_struct *conn, > } > #endif /* LARGE_SMB_OFF_T */ > >- sid_parse(pdata+40,sid_len,&sid); >+ if (!sid_parse(pdata+40,sid_len,&sid)) { >+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER); >+ return; >+ } >+ > DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid))); > > /* 44 unknown bytes left... */
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 7669
:
5951
| 5952 |
5953
|
5954
|
5955