The Samba-Bugzilla – Attachment 5954 Details for
Bug 7669
buffer overflow in sid_parse() in Samba3 and dom_sid_parse in Samba4; CVE-2010-3069
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
CVE-2010-3069 patch Samba 3.4
samba-3-4-x.patch (text/plain), 3.50 KB, created by
Lars Müller
on 2010-09-09 05:18:59 UTC
(
hide
)
Description:
CVE-2010-3069 patch Samba 3.4
Filename:
MIME Type:
Creator:
Lars Müller
Created:
2010-09-09 05:18:59 UTC
Size:
3.50 KB
patch
obsolete
>diff --git a/libcli/security/dom_sid.c b/libcli/security/dom_sid.c >index 0c88900..350a14f 100644 >--- a/libcli/security/dom_sid.c >+++ b/libcli/security/dom_sid.c >@@ -117,6 +117,10 @@ bool dom_sid_parse(const char *sidstr, struct dom_sid *ret) > if (sidstr[i] == '-') num_sub_auths++; > } > >+ if (num_sub_auths > MAXSUBAUTHS) { >+ return false; >+ } >+ > ret->sid_rev_num = rev; > ret->id_auth[0] = 0; > ret->id_auth[1] = 0; >diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h >index e892535..748e009 100644 >--- a/libcli/security/dom_sid.h >+++ b/libcli/security/dom_sid.h >@@ -40,5 +40,9 @@ bool dom_sid_in_domain(const struct dom_sid *domain_sid, > const struct dom_sid *sid); > char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid); > >+#ifndef MAXSUBAUTHS >+#define MAXSUBAUTHS 15 /* max sub authorities in a SID */ >+#endif >+ > #endif /*_DOM_SID_H_*/ > >diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c >index 97284af..52e8448 100644 >--- a/source3/lib/util_sid.c >+++ b/source3/lib/util_sid.c >@@ -408,6 +408,9 @@ bool sid_parse(const char *inbuf, size_t len, DOM_SID *sid) > > sid->sid_rev_num = CVAL(inbuf, 0); > sid->num_auths = CVAL(inbuf, 1); >+ if (sid->num_auths > MAXSUBAUTHS) { >+ return false; >+ } > memcpy(sid->id_auth, inbuf+2, 6); > if (len < 8 + sid->num_auths*4) > return False; >diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c >index 1fb541d..08b8311 100644 >--- a/source3/libads/ldap.c >+++ b/source3/libads/ldap.c >@@ -2128,7 +2128,9 @@ static void dump_sid(ADS_STRUCT *ads, const char *field, struct berval **values) > for (i=0; values[i]; i++) { > DOM_SID sid; > fstring tmp; >- sid_parse(values[i]->bv_val, values[i]->bv_len, &sid); >+ if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) { >+ continue; >+ } > printf("%s: %s\n", field, sid_to_fstring(tmp, &sid)); > } > } >diff --git a/source3/libsmb/cliquota.c b/source3/libsmb/cliquota.c >index e40dac3..2af5b22 100644 >--- a/source3/libsmb/cliquota.c >+++ b/source3/libsmb/cliquota.c >@@ -117,7 +117,9 @@ static bool parse_user_quota_record(const char *rdata, unsigned int rdata_count, > } > #endif /* LARGE_SMB_OFF_T */ > >- sid_parse(rdata+40,sid_len,&qt.sid); >+ if (!sid_parse(rdata+40,sid_len,&qt.sid)) { >+ return false; >+ } > > qt.qtype = SMB_USER_QUOTA_TYPE; > >diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c >index 4bfbcd1..2834f08 100644 >--- a/source3/smbd/nttrans.c >+++ b/source3/smbd/nttrans.c >@@ -2080,7 +2080,11 @@ static void call_nt_transact_ioctl(connection_struct *conn, > /* unknown 4 bytes: this is not the length of the sid :-( */ > /*unknown = IVAL(pdata,0);*/ > >- sid_parse(pdata+4,sid_len,&sid); >+ if (!sid_parse(pdata+4,sid_len,&sid)) { >+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER); >+ return; >+ } >+ > DEBUGADD(10, ("for SID: %s\n", sid_string_dbg(&sid))); > > if (!sid_to_uid(&sid, &uid)) { >@@ -2336,7 +2340,10 @@ static void call_nt_transact_get_user_quota(connection_struct *conn, > break; > } > >- sid_parse(pdata+8,sid_len,&sid); >+ if (!sid_parse(pdata+8,sid_len,&sid)) { >+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER); >+ return; >+ } > > if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) { > ZERO_STRUCT(qt); >@@ -2517,7 +2524,11 @@ static void call_nt_transact_set_user_quota(connection_struct *conn, > } > #endif /* LARGE_SMB_OFF_T */ > >- sid_parse(pdata+40,sid_len,&sid); >+ if (!sid_parse(pdata+40,sid_len,&sid)) { >+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER); >+ return; >+ } >+ > DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid))); > > /* 44 unknown bytes left... */
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 7669
:
5951
|
5952
|
5953
| 5954 |
5955