Bug 8686 - Packet validation checks can be done before length validation causing uninitialized memory read.
Packet validation checks can be done before length validation causing uniniti...
Status: RESOLVED FIXED
Product: Samba 3.6
Classification: Unclassified
Component: File services
3.6.1
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks: 8595
  Show dependency treegraph
 
Reported: 2012-01-04 00:57 UTC by Jeremy Allison
Modified: 2012-01-10 19:59 UTC (History)
1 user (show)

See Also:


Attachments
git-am fix for 3.6.x and 3.5.x. (1.00 KB, patch)
2012-01-04 19:11 UTC, Jeremy Allison
vl: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2012-01-04 00:57:32 UTC
Found by Volker. Could possibly cause smbd to crash, nothing more. Patch submitted to master, once it's gone through I'll attach here for 3.5.next and 3.6.next.

Jeremy.
Comment 1 Jeremy Allison 2012-01-04 19:11:22 UTC
Created attachment 7226 [details]
git-am fix for 3.6.x and 3.5.x.
Comment 2 Volker Lendecke 2012-01-05 08:08:04 UTC
Comment on attachment 7226 [details]
git-am fix for 3.6.x and 3.5.x.

Further testing showed that we don't even get here with short packets, because init_smb_request() does a similar check and fails. But still this is a confusing piece of code that IMHO is worth fixing.
Comment 3 Karolin Seeger 2012-01-08 20:01:42 UTC
Please confirm that I can push the patches.

Thanks,
Karolin
Comment 4 Jeremy Allison 2012-01-09 18:20:43 UTC
Yes, please push these patches.

Thanks !

Jeremy.
Comment 5 Karolin Seeger 2012-01-10 19:59:25 UTC
Pushed to both branches.
Closing out bug report.

Thanks!