[Pkg-samba-maint] r1579 - in branches/samba/sarge/debian: . patches
vorlon at alioth.debian.org
vorlon at alioth.debian.org
Sat Nov 17 08:31:23 UTC 2007
Author: vorlon
Date: 2007-11-17 08:31:23 +0000 (Sat, 17 Nov 2007)
New Revision: 1579
Added:
branches/samba/sarge/debian/patches/security-CVE-2007-4572_part2.patch
Modified:
branches/samba/sarge/debian/changelog
Log:
fix a regression introduced by the previous build that broke smbfs clients.
Modified: branches/samba/sarge/debian/changelog
===================================================================
--- branches/samba/sarge/debian/changelog 2007-11-17 07:48:00 UTC (rev 1578)
+++ branches/samba/sarge/debian/changelog 2007-11-17 08:31:23 UTC (rev 1579)
@@ -1,3 +1,10 @@
+samba (3.0.14a-3sarge8) oldstable-security; urgency=high
+
+ * debian/patches/security-CVE-2007-4572_part2.patch: fix a regression
+ introduced by the previous build that broke smbfs clients.
+
+ -- Steve Langasek <vorlon at debian.org> Fri, 16 Nov 2007 18:55:50 -0800
+
samba (3.0.14a-3sarge7) oldstable-security; urgency=low
* Fix a remote code execution vulnerability when running nmbd as a
Added: branches/samba/sarge/debian/patches/security-CVE-2007-4572_part2.patch
===================================================================
--- branches/samba/sarge/debian/patches/security-CVE-2007-4572_part2.patch (rev 0)
+++ branches/samba/sarge/debian/patches/security-CVE-2007-4572_part2.patch 2007-11-17 08:31:23 UTC (rev 1579)
@@ -0,0 +1,228 @@
+Index: samba-3.0.24/source/smbd/negprot.c
+===================================================================
+--- samba-3.0.24.orig/source/smbd/negprot.c
++++ samba-3.0.24/source/smbd/negprot.c
+@@ -322,7 +322,7 @@
+ SSVALS(outbuf,smb_vwv16+1,8);
+ p += 8;
+ }
+- p += srvstr_push(outbuf, p, lp_workgroup(), -1,
++ p += srvstr_push(outbuf, p, lp_workgroup(), BUFFER_SIZE - (p-outbuf),
+ STR_UNICODE|STR_TERMINATE|STR_NOALIGN);
+ DEBUG(3,("not using SPNEGO\n"));
+ } else {
+Index: samba-3.0.24/source/smbd/reply.c
+===================================================================
+--- samba-3.0.24.orig/source/smbd/reply.c
++++ samba-3.0.24/source/smbd/reply.c
+@@ -425,7 +425,7 @@
+ if (Protocol < PROTOCOL_NT1) {
+ set_message(outbuf,2,0,True);
+ p = smb_buf(outbuf);
+- p += srvstr_push(outbuf, p, server_devicetype, -1,
++ p += srvstr_push(outbuf, p, server_devicetype, BUFFER_SIZE - (p - outbuf),
+ STR_TERMINATE|STR_ASCII);
+ set_message_end(outbuf,p);
+ } else {
+@@ -435,9 +435,9 @@
+ set_message(outbuf,3,0,True);
+
+ p = smb_buf(outbuf);
+- p += srvstr_push(outbuf, p, server_devicetype, -1,
++ p += srvstr_push(outbuf, p, server_devicetype, BUFFER_SIZE - (p - outbuf),
+ STR_TERMINATE|STR_ASCII);
+- p += srvstr_push(outbuf, p, fstype, -1,
++ p += srvstr_push(outbuf, p, fstype, BUFFER_SIZE - (p - outbuf),
+ STR_TERMINATE);
+
+ set_message_end(outbuf,p);
+@@ -1427,7 +1427,7 @@
+ thing in the byte section. JRA */
+ SSVALS(p, 0, -1); /* what is this? not in spec */
+ #endif
+- namelen = srvstr_push(outbuf, p, s, -1, STR_ASCII|STR_TERMINATE);
++ namelen = srvstr_push(outbuf, p, s, BUFFER_SIZE - (p - outbuf), STR_ASCII|STR_TERMINATE);
+ p += namelen;
+ outsize = set_message_end(outbuf, p);
+
+Index: samba-3.0.24/source/smbd/srvstr.c
+===================================================================
+--- samba-3.0.24.orig/source/smbd/srvstr.c
++++ samba-3.0.24/source/smbd/srvstr.c
+@@ -28,17 +28,10 @@
+ const char *base_ptr, void *dest,
+ const char *src, int dest_len, int flags)
+ {
+- size_t buf_used = PTR_DIFF(dest, base_ptr);
+- if (dest_len == -1) {
+- if (((ptrdiff_t)dest < (ptrdiff_t)base_ptr) || (buf_used > (size_t)max_send)) {
+-#if 0
+- DEBUG(0, ("Pushing string of 'unlimited' length into non-SMB buffer!\n"));
+-#endif
+- return push_string_fn(function, line, base_ptr, dest, src, -1, flags);
+- }
+- return push_string_fn(function, line, base_ptr, dest, src, max_send - buf_used, flags);
++ if (dest_len < 0) {
++ return 0;
+ }
+-
++
+ /* 'normal' push into size-specified buffer */
+ return push_string_fn(function, line, base_ptr, dest, src, dest_len, flags);
+ }
+Index: samba-3.0.24/source/smbd/trans2.c
+===================================================================
+--- samba-3.0.24.orig/source/smbd/trans2.c
++++ samba-3.0.24/source/smbd/trans2.c
+@@ -985,7 +985,7 @@
+ p += l1_achName;
+ nameptr = p;
+ p += align_string(outbuf, p, 0);
+- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE);
++ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE);
+ if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) {
+ if (len > 2) {
+ SCVAL(nameptr, -1, len - 2);
+@@ -1020,7 +1020,7 @@
+ }
+ p += l2_achName;
+ nameptr = p - 1;
+- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE | STR_NOALIGN);
++ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE | STR_NOALIGN);
+ if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) {
+ if (len > 2) {
+ len -= 2;
+@@ -1074,7 +1074,7 @@
+ *(p+2) = 0;
+ }
+ p += 2 + 24;
+- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
++ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
+ SIVAL(q,0,len);
+ p += len;
+ len = PTR_DIFF(p, pdata);
+@@ -1094,7 +1094,7 @@
+ SOFF_T(p,0,file_size); p += 8;
+ SOFF_T(p,0,allocation_size); p += 8;
+ SIVAL(p,0,nt_extmode); p += 4;
+- len = srvstr_push(outbuf, p + 4, fname, -1, STR_TERMINATE_ASCII);
++ len = srvstr_push(outbuf, p + 4, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
+ SIVAL(p,0,len);
+ p += 4 + len;
+ len = PTR_DIFF(p, pdata);
+@@ -1120,7 +1120,7 @@
+ SIVAL(p,0,ea_size); /* Extended attributes */
+ p +=4;
+ }
+- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
++ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
+ SIVAL(q, 0, len);
+ p += len;
+
+@@ -1137,7 +1137,7 @@
+ p += 4;
+ /* this must *not* be null terminated or w2k gets in a loop trying to set an
+ acl on a dir (tridge) */
+- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
++ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
+ SIVAL(p, -4, len);
+ p += len;
+ len = PTR_DIFF(p, pdata);
+@@ -1166,7 +1166,7 @@
+ SIVAL(p,0,0); p += 4; /* Unknown - reserved ? */
+ SIVAL(p,0,sbuf.st_dev); p += 4;
+ SIVAL(p,0,sbuf.st_ino); p += 4;
+- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
++ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
+ SIVAL(q, 0, len);
+ p += len;
+ len = PTR_DIFF(p, pdata);
+@@ -1213,7 +1213,7 @@
+ SSVAL(p,0,0); p += 2; /* Reserved ? */
+ SIVAL(p,0,sbuf.st_dev); p += 4;
+ SIVAL(p,0,sbuf.st_ino); p += 4;
+- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
++ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
+ SIVAL(q,0,len);
+ p += len;
+ len = PTR_DIFF(p, pdata);
+@@ -1271,7 +1271,7 @@
+ SIVAL(p,4,0);
+ p+= 8;
+
+- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE);
++ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE);
+ p += len;
+
+ len = PTR_DIFF(p, pdata);
+@@ -1830,7 +1830,7 @@
+ * the called hostname and the service name.
+ */
+ SIVAL(pdata,0,str_checksum(lp_servicename(snum)) ^ (str_checksum(get_local_machine_name())<<16) );
+- len = srvstr_push(outbuf, pdata+l2_vol_szVolLabel, vname, -1, STR_NOALIGN);
++ len = srvstr_push(outbuf, pdata+l2_vol_szVolLabel, vname, max_data_bytes - l2_vol_szVolLabel, STR_NOALIGN);
+ SCVAL(pdata,l2_vol_cch,len);
+ data_len = l2_vol_szVolLabel + len;
+ DEBUG(5,("call_trans2qfsinfo : time = %x, namelen = %d, name = %s\n",
+@@ -1852,14 +1852,14 @@
+ SIVAL(pdata,4,255); /* Max filename component length */
+ /* NOTE! the fstype must *not* be null terminated or win98 won't recognise it
+ and will think we can't do long filenames */
+- len = srvstr_push(outbuf, pdata+12, fstype, -1, STR_UNICODE);
++ len = srvstr_push(outbuf, pdata+12, fstype, max_data_bytes - 12, STR_UNICODE);
+ SIVAL(pdata,8,len);
+ data_len = 12 + len;
+ break;
+
+ case SMB_QUERY_FS_LABEL_INFO:
+ case SMB_FS_LABEL_INFORMATION:
+- len = srvstr_push(outbuf, pdata+4, vname, -1, 0);
++ len = srvstr_push(outbuf, pdata+4, vname, max_data_bytes - 4, 0);
+ data_len = 4 + len;
+ SIVAL(pdata,0,len);
+ break;
+@@ -1874,7 +1874,7 @@
+ SIVAL(pdata,8,str_checksum(lp_servicename(snum)) ^
+ (str_checksum(get_local_machine_name())<<16));
+
+- len = srvstr_push(outbuf, pdata+18, vname, -1, STR_UNICODE);
++ len = srvstr_push(outbuf, pdata+18, vname, max_data_bytes - 18, STR_UNICODE);
+ SIVAL(pdata,12,len);
+ data_len = 18+len;
+ DEBUG(5,("call_trans2qfsinfo : SMB_QUERY_FS_VOLUME_INFO namelen = %d, vol=%s serv=%s\n",
+@@ -2642,7 +2642,7 @@
+ if(!mangle_is_8_3(short_name, True)) {
+ mangle_map(short_name,True,True,SNUM(conn));
+ }
+- len = srvstr_push(outbuf, pdata+4, short_name, -1, STR_UNICODE);
++ len = srvstr_push(outbuf, pdata+4, short_name, max_data_bytes - 4, STR_UNICODE);
+ data_size = 4 + len;
+ SIVAL(pdata,0,len);
+ break;
+@@ -2652,7 +2652,7 @@
+ /*
+ this must be *exactly* right for ACLs on mapped drives to work
+ */
+- len = srvstr_push(outbuf, pdata+4, dos_fname, -1, STR_UNICODE);
++ len = srvstr_push(outbuf, pdata+4, dos_fname, max_data_bytes - 4, STR_UNICODE);
+ DEBUG(10,("call_trans2qfilepathinfo: SMB_QUERY_FILE_NAME_INFO\n"));
+ data_size = 4 + len;
+ SIVAL(pdata,0,len);
+@@ -2694,7 +2694,7 @@
+ pdata += 24;
+ SIVAL(pdata,0,ea_size);
+ pdata += 4; /* EA info */
+- len = srvstr_push(outbuf, pdata+4, dos_fname, -1, STR_UNICODE);
++ len = srvstr_push(outbuf, pdata+4, dos_fname, max_data_bytes - (pdata+4 - *ppdata), STR_UNICODE);
+ SIVAL(pdata,0,len);
+ pdata += 4 + len;
+ data_size = PTR_DIFF(pdata,(*ppdata));
+@@ -2883,7 +2883,7 @@
+ if (len == -1)
+ return(UNIXERROR(ERRDOS,ERRnoaccess));
+ buffer[len] = 0;
+- len = srvstr_push(outbuf, pdata, buffer, -1, STR_TERMINATE);
++ len = srvstr_push(outbuf, pdata, buffer, max_data_bytes, STR_TERMINATE);
+ pdata += len;
+ data_size = PTR_DIFF(pdata,(*ppdata));
+
More information about the Pkg-samba-maint
mailing list