[Pkg-samba-maint] r1577 - in branches/samba/etch/debian: . patches

vorlon at alioth.debian.org vorlon at alioth.debian.org
Sat Nov 17 07:37:00 UTC 2007 

Author: vorlon
Date: 2007-11-17 07:37:00 +0000 (Sat, 17 Nov 2007)
New Revision: 1577

Added:
   branches/samba/etch/debian/patches/security-CVE-2007-4572_part2.patch
Modified:
   branches/samba/etch/debian/changelog
   branches/samba/etch/debian/patches/series
Log:
fix a regression introduced by the previous build that broke smbfs clients.



Modified: branches/samba/etch/debian/changelog
===================================================================
--- branches/samba/etch/debian/changelog	2007-11-15 21:57:56 UTC (rev 1576)
+++ branches/samba/etch/debian/changelog	2007-11-17 07:37:00 UTC (rev 1577)
@@ -1,3 +1,10 @@
+samba (3.0.24-6etch6) stable-security; urgency=high
+
+  * debian/patches/security-CVE-2007-4572_part2.patch: fix a regression
+    introduced by the previous build that broke smbfs clients.
+
+ -- Steve Langasek <vorlon at debian.org>  Fri, 16 Nov 2007 19:17:07 -0800
+
 samba (3.0.24-6etch5) stable-security; urgency=high
 
   * Fix a remote code execution vulnerability when running nmbd as a

Added: branches/samba/etch/debian/patches/security-CVE-2007-4572_part2.patch
===================================================================
--- branches/samba/etch/debian/patches/security-CVE-2007-4572_part2.patch	                        (rev 0)
+++ branches/samba/etch/debian/patches/security-CVE-2007-4572_part2.patch	2007-11-17 07:37:00 UTC (rev 1577)
@@ -0,0 +1,240 @@
+Index: samba-3.0.24/source/smbd/negprot.c
+===================================================================
+--- samba-3.0.24.orig/source/smbd/negprot.c
++++ samba-3.0.24/source/smbd/negprot.c
+@@ -345,7 +345,7 @@
+ 			SCVAL(outbuf,smb_vwv16+1,8);
+ 			p += 8;
+ 		}
+-		p += srvstr_push(outbuf, p, lp_workgroup(), -1, 
++		p += srvstr_push(outbuf, p, lp_workgroup(), BUFFER_SIZE - (p-outbuf), 
+ 				 STR_UNICODE|STR_TERMINATE|STR_NOALIGN);
+ 		DEBUG(3,("not using SPNEGO\n"));
+ 	} else {
+Index: samba-3.0.24/source/smbd/reply.c
+===================================================================
+--- samba-3.0.24.orig/source/smbd/reply.c
++++ samba-3.0.24/source/smbd/reply.c
+@@ -686,7 +686,7 @@
+ 	if (Protocol < PROTOCOL_NT1) {
+ 		set_message(outbuf,2,0,True);
+ 		p = smb_buf(outbuf);
+-		p += srvstr_push(outbuf, p, server_devicetype, -1, 
++		p += srvstr_push(outbuf, p, server_devicetype, BUFFER_SIZE - (p - outbuf),
+ 				 STR_TERMINATE|STR_ASCII);
+ 		set_message_end(outbuf,p);
+ 	} else {
+@@ -696,9 +696,9 @@
+ 		set_message(outbuf,3,0,True);
+ 
+ 		p = smb_buf(outbuf);
+-		p += srvstr_push(outbuf, p, server_devicetype, -1, 
++		p += srvstr_push(outbuf, p, server_devicetype, BUFFER_SIZE - (p - outbuf),
+ 				 STR_TERMINATE|STR_ASCII);
+-		p += srvstr_push(outbuf, p, fstype, -1, 
++		p += srvstr_push(outbuf, p, fstype, BUFFER_SIZE - (p - outbuf),
+ 				 STR_TERMINATE);
+ 		
+ 		set_message_end(outbuf,p);
+@@ -1794,7 +1794,7 @@
+ 	   thing in the byte section. JRA */
+ 	SSVALS(p, 0, -1); /* what is this? not in spec */
+ #endif
+-	namelen = srvstr_push(outbuf, p, s, -1, STR_ASCII|STR_TERMINATE);
++	namelen = srvstr_push(outbuf, p, s, BUFFER_SIZE - (p - outbuf), STR_ASCII|STR_TERMINATE);
+ 	p += namelen;
+ 	outsize = set_message_end(outbuf, p);
+ 
+Index: samba-3.0.24/source/smbd/srvstr.c
+===================================================================
+--- samba-3.0.24.orig/source/smbd/srvstr.c
++++ samba-3.0.24/source/smbd/srvstr.c
+@@ -28,17 +28,10 @@
+ 		      const char *base_ptr, void *dest, 
+ 		      const char *src, int dest_len, int flags)
+ {
+-	size_t buf_used = PTR_DIFF(dest, base_ptr);
+-	if (dest_len == -1) {
+-		if (((ptrdiff_t)dest < (ptrdiff_t)base_ptr) || (buf_used > (size_t)max_send)) {
+-#if 0
+-			DEBUG(0, ("Pushing string of 'unlimited' length into non-SMB buffer!\n"));
+-#endif
+-			return push_string_fn(function, line, base_ptr, dest, src, -1, flags);
+-		}
+-		return push_string_fn(function, line, base_ptr, dest, src, max_send - buf_used, flags);
++	if (dest_len < 0) {
++		return 0;
+ 	}
+-	
++
+ 	/* 'normal' push into size-specified buffer */
+ 	return push_string_fn(function, line, base_ptr, dest, src, dest_len, flags);
+ }
+Index: samba-3.0.24/source/smbd/trans2.c
+===================================================================
+--- samba-3.0.24.orig/source/smbd/trans2.c
++++ samba-3.0.24/source/smbd/trans2.c
+@@ -1225,7 +1225,7 @@
+ 			p += 23;
+ 			nameptr = p;
+ 			p += align_string(outbuf, p, 0);
+-			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE);
++			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE);
+ 			if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) {
+ 				if (len > 2) {
+ 					SCVAL(nameptr, -1, len - 2);
+@@ -1260,7 +1260,7 @@
+ 			}
+ 			p += 27;
+ 			nameptr = p - 1;
+-			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE | STR_NOALIGN);
++			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE | STR_NOALIGN);
+ 			if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) {
+ 				if (len > 2) {
+ 					len -= 2;
+@@ -1314,9 +1314,9 @@
+ 			}
+ 
+ 			/* Push the ea_data followed by the name. */
+-			p += fill_ea_buffer(ea_ctx, p, space_remaining, conn, name_list);
++			p += fill_ea_buffer(ea_ctx, p, space_remaining - (p - pdata), conn, name_list);
+ 			nameptr = p;
+-			len = srvstr_push(outbuf, p + 1, fname, -1, STR_TERMINATE | STR_NOALIGN);
++			len = srvstr_push(outbuf, p + 1, fname, space_remaining - (p - pdata), STR_TERMINATE | STR_NOALIGN);
+ 			if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) {
+ 				if (len > 2) {
+ 					len -= 2;
+@@ -1372,7 +1372,7 @@
+ 				memset(p,'\0',26);
+ 			}
+ 			p += 2 + 24;
+-			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
++			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
+ 			SIVAL(q,0,len);
+ 			p += len;
+ 			SIVAL(p,0,0); /* Ensure any padding is null. */
+@@ -1393,7 +1393,7 @@
+ 			SOFF_T(p,0,file_size); p += 8;
+ 			SOFF_T(p,0,allocation_size); p += 8;
+ 			SIVAL(p,0,nt_extmode); p += 4;
+-			len = srvstr_push(outbuf, p + 4, fname, -1, STR_TERMINATE_ASCII);
++			len = srvstr_push(outbuf, p + 4, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
+ 			SIVAL(p,0,len);
+ 			p += 4 + len;
+ 			SIVAL(p,0,0); /* Ensure any padding is null. */
+@@ -1420,7 +1420,7 @@
+ 				SIVAL(p,0,ea_size); /* Extended attributes */
+ 				p +=4;
+ 			}
+-			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
++			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
+ 			SIVAL(q, 0, len);
+ 			p += len;
+ 
+@@ -1438,7 +1438,7 @@
+ 			p += 4;
+ 			/* this must *not* be null terminated or w2k gets in a loop trying to set an
+ 			   acl on a dir (tridge) */
+-			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
++			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
+ 			SIVAL(p, -4, len);
+ 			p += len;
+ 			SIVAL(p,0,0); /* Ensure any padding is null. */
+@@ -1468,7 +1468,7 @@
+ 			SIVAL(p,0,0); p += 4; /* Unknown - reserved ? */
+ 			SIVAL(p,0,sbuf.st_ino); p += 4; /* FileIndexLow */
+ 			SIVAL(p,0,sbuf.st_dev); p += 4; /* FileIndexHigh */
+-			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
++			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
+ 			SIVAL(q, 0, len);
+ 			p += len; 
+ 			SIVAL(p,0,0); /* Ensure any padding is null. */
+@@ -1518,7 +1518,7 @@
+ 			SSVAL(p,0,0); p += 2; /* Reserved ? */
+ 			SIVAL(p,0,sbuf.st_ino); p += 4; /* FileIndexLow */
+ 			SIVAL(p,0,sbuf.st_dev); p += 4; /* FileIndexHigh */
+-			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
++			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
+ 			SIVAL(q,0,len);
+ 			p += len;
+ 			SIVAL(p,0,0); /* Ensure any padding is null. */
+@@ -1577,7 +1577,7 @@
+ 			SIVAL(p,4,0);
+ 			p+= 8;
+ 
+-			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE);
++			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE);
+ 			p += len;
+ 			SIVAL(p,0,0); /* Ensure any padding is null. */
+ 
+@@ -2229,7 +2229,7 @@
+ 			 * this call so try fixing this by adding a terminating null to
+ 			 * the pushed string. The change here was adding the STR_TERMINATE. JRA.
+ 			 */
+-			len = srvstr_push(outbuf, pdata+l2_vol_szVolLabel, vname, -1, STR_NOALIGN|STR_TERMINATE);
++			len = srvstr_push(outbuf, pdata+l2_vol_szVolLabel, vname, max_data_bytes - l2_vol_szVolLabel, STR_NOALIGN|STR_TERMINATE);
+ 			SCVAL(pdata,l2_vol_cch,len);
+ 			data_len = l2_vol_szVolLabel + len;
+ 			DEBUG(5,("call_trans2qfsinfo : time = %x, namelen = %d, name = %s\n",
+@@ -2251,14 +2251,14 @@
+ 			SIVAL(pdata,4,255); /* Max filename component length */
+ 			/* NOTE! the fstype must *not* be null terminated or win98 won't recognise it
+ 				and will think we can't do long filenames */
+-			len = srvstr_push(outbuf, pdata+12, fstype, -1, STR_UNICODE);
++			len = srvstr_push(outbuf, pdata+12, fstype, max_data_bytes - 12, STR_UNICODE);
+ 			SIVAL(pdata,8,len);
+ 			data_len = 12 + len;
+ 			break;
+ 
+ 		case SMB_QUERY_FS_LABEL_INFO:
+ 		case SMB_FS_LABEL_INFORMATION:
+-			len = srvstr_push(outbuf, pdata+4, vname, -1, 0);
++			len = srvstr_push(outbuf, pdata+4, vname, max_data_bytes - 4, 0);
+ 			data_len = 4 + len;
+ 			SIVAL(pdata,0,len);
+ 			break;
+@@ -2273,7 +2273,7 @@
+ 			SIVAL(pdata,8,str_checksum(lp_servicename(snum)) ^ 
+ 				(str_checksum(get_local_machine_name())<<16));
+ 
+-			len = srvstr_push(outbuf, pdata+18, vname, -1, STR_UNICODE);
++			len = srvstr_push(outbuf, pdata+18, vname, max_data_bytes - 18, STR_UNICODE);
+ 			SIVAL(pdata,12,len);
+ 			data_len = 18+len;
+ 			DEBUG(5,("call_trans2qfsinfo : SMB_QUERY_FS_VOLUME_INFO namelen = %d, vol=%s serv=%s\n", 
+@@ -3232,7 +3232,7 @@
+ 			if(!mangle_is_8_3(short_name, True, SNUM(conn))) {
+ 				mangle_map(short_name,True,True,SNUM(conn));
+ 			}
+-			len = srvstr_push(outbuf, pdata+4, short_name, -1, STR_UNICODE);
++			len = srvstr_push(outbuf, pdata+4, short_name, max_data_bytes - 4, STR_UNICODE);
+ 			data_size = 4 + len;
+ 			SIVAL(pdata,0,len);
+ 			break;
+@@ -3242,7 +3242,7 @@
+ 			/*
+ 			  this must be *exactly* right for ACLs on mapped drives to work
+ 			 */
+-			len = srvstr_push(outbuf, pdata+4, dos_fname, -1, STR_UNICODE);
++			len = srvstr_push(outbuf, pdata+4, dos_fname, max_data_bytes - 4, STR_UNICODE);
+ 			DEBUG(10,("call_trans2qfilepathinfo: SMB_QUERY_FILE_NAME_INFO\n"));
+ 			data_size = 4 + len;
+ 			SIVAL(pdata,0,len);
+@@ -3283,7 +3283,7 @@
+ 			pdata += 24;
+ 			SIVAL(pdata,0,ea_size);
+ 			pdata += 4; /* EA info */
+-			len = srvstr_push(outbuf, pdata+4, dos_fname, -1, STR_UNICODE);
++			len = srvstr_push(outbuf, pdata+4, dos_fname, max_data_bytes - (pdata+4 - *ppdata), STR_UNICODE);
+ 			SIVAL(pdata,0,len);
+ 			pdata += 4 + len;
+ 			data_size = PTR_DIFF(pdata,(*ppdata));
+@@ -3472,7 +3472,7 @@
+ 				if (len == -1)
+ 					return(UNIXERROR(ERRDOS,ERRnoaccess));
+ 				buffer[len] = 0;
+-				len = srvstr_push(outbuf, pdata, buffer, -1, STR_TERMINATE);
++				len = srvstr_push(outbuf, pdata, buffer, max_data_bytes, STR_TERMINATE);
+ 				pdata += len;
+ 				data_size = PTR_DIFF(pdata,(*ppdata));
+ 

Modified: branches/samba/etch/debian/patches/series
===================================================================
--- branches/samba/etch/debian/patches/series	2007-11-15 21:57:56 UTC (rev 1576)
+++ branches/samba/etch/debian/patches/series	2007-11-17 07:37:00 UTC (rev 1577)
@@ -27,3 +27,4 @@
 security-CVE-2007-2446_domain-fix.patch
 security-CVE-2007-4572.patch
 security-CVE-2007-5398.patch
+security-CVE-2007-4572_part2.patch

More information about the Pkg-samba-maint mailing list