Bug 8686 – Packet validation checks can be done before length validation causing uninitialized memory read.

Bug 8686 - Packet validation checks can be done before length validation causing uninitialized memory read.


Summary:	Packet validation checks can be done before length validation causing uniniti...

Status:	RESOLVED FIXED

Product:	Samba 3.6
Classification:	Unclassified
Component:	File services
Version:	3.6.1
Hardware:	All All

Importance:	P5 normal
Target Milestone:	---
Assigned To:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:	8595
	Show dependency tree / graph

Reported:	2012-01-04 00:57 UTC by Jeremy Allison
Modified:	2012-01-10 19:59 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
git-am fix for 3.6.x and 3.5.x. (1.00 KB, patch) 2012-01-04 19:11 UTC, Jeremy Allison	vl: review+	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jeremy Allison 2012-01-04 00:57:32 UTC

Found by Volker. Could possibly cause smbd to crash, nothing more. Patch submitted to master, once it's gone through I'll attach here for 3.5.next and 3.6.next.

Jeremy.

Comment 1 Jeremy Allison 2012-01-04 19:11:22 UTC

Created attachment 7226 [details]
git-am fix for 3.6.x and 3.5.x.

Comment 2 Volker Lendecke 2012-01-05 08:08:04 UTC

Comment on attachment 7226 [details]
git-am fix for 3.6.x and 3.5.x.

Further testing showed that we don't even get here with short packets, because init_smb_request() does a similar check and fails. But still this is a confusing piece of code that IMHO is worth fixing.

Comment 3 Karolin Seeger 2012-01-08 20:01:42 UTC

Please confirm that I can push the patches.

Thanks,
Karolin

Comment 4 Jeremy Allison 2012-01-09 18:20:43 UTC

Yes, please push these patches.

Thanks !

Jeremy.

Comment 5 Karolin Seeger 2012-01-10 19:59:25 UTC

Pushed to both branches.
Closing out bug report.

Thanks!