Bug 8686 - Packet validation checks can be done before length validation causing uninitialized memory read.
Summary: Packet validation checks can be done before length validation causing uniniti...
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: File services (show other bugs)
Version: 3.6.1
Hardware: All All
: P5 normal
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 8595
  Show dependency treegraph
 
Reported: 2012-01-04 00:57 UTC by Jeremy Allison
Modified: 2012-01-10 19:59 UTC (History)
1 user (show)

See Also:

Attachments
git-am fix for 3.6.x and 3.5.x. (1.00 KB, patch)
2012-01-04 19:11 UTC, Jeremy Allison 		vl: review+
Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2012-01-04 00:57:32 UTC 
Found by Volker. Could possibly cause smbd to crash, nothing more. Patch submitted to master, once it's gone through I'll attach here for 3.5.next and 3.6.next.

Jeremy.
Comment 1 Jeremy Allison 2012-01-04 19:11:22 UTC 
Created attachment 7226 [details]
git-am fix for 3.6.x and 3.5.x.
Comment 2 Volker Lendecke 2012-01-05 08:08:04 UTC 
Comment on attachment 7226 [details]
git-am fix for 3.6.x and 3.5.x.

Further testing showed that we don't even get here with short packets, because init_smb_request() does a similar check and fails. But still this is a confusing piece of code that IMHO is worth fixing.
Comment 3 Karolin Seeger 2012-01-08 20:01:42 UTC 
Please confirm that I can push the patches.

Thanks,
Karolin
Comment 4 Jeremy Allison 2012-01-09 18:20:43 UTC 
Yes, please push these patches.

Thanks !

Jeremy.
Comment 5 Karolin Seeger 2012-01-10 19:59:25 UTC 
Pushed to both branches.
Closing out bug report.

Thanks!