The Samba-Bugzilla – Attachment 5953 Details for
Bug 7669
buffer overflow in sid_parse() in Samba3 and dom_sid_parse in Samba4; CVE-2010-3069
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
CVE-2010-3069 patch Samba 3.3
samba-3-3-x.patch (text/plain), 2.62 KB, created by
Lars Müller
on 2010-09-09 05:18:33 UTC
(
hide
)
Description:
CVE-2010-3069 patch Samba 3.3
Filename:
MIME Type:
Creator:
Lars Müller
Created:
2010-09-09 05:18:33 UTC
Size:
2.62 KB
patch
obsolete
>diff --git a/source/lib/util_sid.c b/source/lib/util_sid.c >index f656bb1..aa49b86 100644 >--- a/source/lib/util_sid.c >+++ b/source/lib/util_sid.c >@@ -408,6 +408,9 @@ bool sid_parse(const char *inbuf, size_t len, DOM_SID *sid) > > sid->sid_rev_num = CVAL(inbuf, 0); > sid->num_auths = CVAL(inbuf, 1); >+ if (sid->num_auths > MAXSUBAUTHS) { >+ return false; >+ } > memcpy(sid->id_auth, inbuf+2, 6); > if (len < 8 + sid->num_auths*4) > return False; >diff --git a/source/libads/ldap.c b/source/libads/ldap.c >index d9598e5..f426996 100644 >--- a/source/libads/ldap.c >+++ b/source/libads/ldap.c >@@ -2139,7 +2139,9 @@ static void dump_sid(ADS_STRUCT *ads, const char *field, struct berval **values) > for (i=0; values[i]; i++) { > DOM_SID sid; > fstring tmp; >- sid_parse(values[i]->bv_val, values[i]->bv_len, &sid); >+ if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) { >+ continue; >+ } > printf("%s: %s\n", field, sid_to_fstring(tmp, &sid)); > } > } >diff --git a/source/libsmb/cliquota.c b/source/libsmb/cliquota.c >index dcdfec2..47739f0 100644 >--- a/source/libsmb/cliquota.c >+++ b/source/libsmb/cliquota.c >@@ -117,7 +117,9 @@ static bool parse_user_quota_record(const char *rdata, unsigned int rdata_count, > } > #endif /* LARGE_SMB_OFF_T */ > >- sid_parse(rdata+40,sid_len,&qt.sid); >+ if (!sid_parse(rdata+40,sid_len,&qt.sid)) { >+ return false; >+ } > > qt.qtype = SMB_USER_QUOTA_TYPE; > >diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c >index c392380..b610b1f 100644 >--- a/source/smbd/nttrans.c >+++ b/source/smbd/nttrans.c >@@ -1950,7 +1950,11 @@ static void call_nt_transact_ioctl(connection_struct *conn, > /* unknown 4 bytes: this is not the length of the sid :-( */ > /*unknown = IVAL(pdata,0);*/ > >- sid_parse(pdata+4,sid_len,&sid); >+ if (!sid_parse(pdata+4,sid_len,&sid)) { >+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER); >+ return; >+ } >+ > DEBUGADD(10, ("for SID: %s\n", sid_string_dbg(&sid))); > > if (!sid_to_uid(&sid, &uid)) { >@@ -2206,7 +2210,10 @@ static void call_nt_transact_get_user_quota(connection_struct *conn, > break; > } > >- sid_parse(pdata+8,sid_len,&sid); >+ if (!sid_parse(pdata+8,sid_len,&sid)) { >+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER); >+ return; >+ } > > if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) { > ZERO_STRUCT(qt); >@@ -2387,7 +2394,11 @@ static void call_nt_transact_set_user_quota(connection_struct *conn, > } > #endif /* LARGE_SMB_OFF_T */ > >- sid_parse(pdata+40,sid_len,&sid); >+ if (!sid_parse(pdata+40,sid_len,&sid)) { >+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER); >+ return; >+ } >+ > DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid))); > > /* 44 unknown bytes left... */
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 7669
:
5951
|
5952
| 5953 |
5954
|
5955