[Pkg-samba-maint] [samba] 03/04: add patch for CVE-2014-3493
Ivo De Decker
ivodd at moszumanska.debian.org
Mon Jun 23 16:04:27 UTC 2014
This is an automated email from the git hooks/post-receive script.
ivodd pushed a commit to branch wheezy
in repository samba.
commit cf32a23bf29db980804ee94722f3039d6ec4f3d8
Author: Ivo De Decker <ivo.dedecker at ugent.be>
Date: Sun Jun 22 00:15:20 2014 +0200
add patch for CVE-2014-3493
smbd denial of service: server crash/memory corruption
---
debian/changelog | 1 +
debian/patches/security-CVE-2014-3493.patch | 104 ++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 106 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 8a17733..8e72d1d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,7 @@ samba (2:3.6.6-6+deb7u4) UNRELEASED; urgency=high
* CVE-2014-0178: Uninitialized memory exposure when handling shadow_copy
data
* CVE-2014-0244: nmbd denial of service
+ * CVE-2014-3493: smbd denial of service: server crash/memory corruption
-- Ivo De Decker <ivo.dedecker at ugent.be> Sun, 22 Jun 2014 00:00:38 +0200
diff --git a/debian/patches/security-CVE-2014-3493.patch b/debian/patches/security-CVE-2014-3493.patch
new file mode 100644
index 0000000..acfb91b
--- /dev/null
+++ b/debian/patches/security-CVE-2014-3493.patch
@@ -0,0 +1,104 @@
+From 70199b99aa90d2da82c5200b3b0452ac0e28bf0c Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra at samba.org>
+Date: Wed, 11 Jun 2014 13:22:14 -0700
+Subject: [PATCH] s3: smbd - fix processing of packets with invalid DOS charset
+ conversions.
+
+Bug 10654 - Segmentation fault in smbd_marshall_dir_entry()'s SMB_FIND_FILE_UNIX handler
+
+https://bugzilla.samba.org/show_bug.cgi?id=10654
+
+Signed-off-by: Jeremy Allison <jra at samba.org>
+---
+ source3/lib/charcnv.c | 16 ++++++++++------
+ source3/libsmb/clirap.c | 4 ++--
+ source3/smbd/lanman.c | 4 ++--
+ 3 files changed, 14 insertions(+), 10 deletions(-)
+
+diff --git a/source3/lib/charcnv.c b/source3/lib/charcnv.c
+index d3f65ca..d8cd2a5 100644
+--- a/source3/lib/charcnv.c
++++ b/source3/lib/charcnv.c
+@@ -822,7 +822,7 @@ size_t ucs2_align(const void *base_ptr, const void *p, int flags)
+ **/
+ size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags)
+ {
+- size_t src_len = strlen(src);
++ size_t src_len = 0;
+ char *tmpbuf = NULL;
+ size_t ret;
+
+@@ -840,17 +840,21 @@ size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags)
+ src = tmpbuf;
+ }
+
++ src_len = strlen(src);
+ if (flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) {
+ src_len++;
+ }
+
+ ret = convert_string(CH_UNIX, CH_DOS, src, src_len, dest, dest_len, True);
+- if (ret == (size_t)-1 &&
+- (flags & (STR_TERMINATE | STR_TERMINATE_ASCII))
+- && dest_len > 0) {
+- ((char *)dest)[0] = '\0';
+- }
++
+ SAFE_FREE(tmpbuf);
++ if (ret == (size_t)-1) {
++ if ((flags & (STR_TERMINATE | STR_TERMINATE_ASCII))
++ && dest_len > 0) {
++ ((char *)dest)[0] = '\0';
++ }
++ return 0;
++ }
+ return ret;
+ }
+
+diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c
+index d39d38e..31c4cfe 100644
+--- a/source3/libsmb/clirap.c
++++ b/source3/libsmb/clirap.c
+@@ -319,7 +319,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype,
+ sizeof(param) - PTR_DIFF(p,param) - 1,
+ STR_TERMINATE|STR_UPPER);
+
+- if (len == (size_t)-1) {
++ if (len == 0) {
+ SAFE_FREE(last_entry);
+ return false;
+ }
+@@ -331,7 +331,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype,
+ sizeof(param) - PTR_DIFF(p,param) - 1,
+ STR_TERMINATE);
+
+- if (len == (size_t)-1) {
++ if (len == 0) {
+ SAFE_FREE(last_entry);
+ return false;
+ }
+diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c
+index aef12df..724b869 100644
+--- a/source3/smbd/lanman.c
++++ b/source3/smbd/lanman.c
+@@ -128,7 +128,7 @@ static int CopyExpanded(connection_struct *conn,
+ return 0;
+ }
+ l = push_ascii(*dst,buf,*p_space_remaining, STR_TERMINATE);
+- if (l == -1) {
++ if (l == 0) {
+ return 0;
+ }
+ (*dst) += l;
+@@ -143,7 +143,7 @@ static int CopyAndAdvance(char **dst, char *src, int *n)
+ return 0;
+ }
+ l = push_ascii(*dst,src,*n, STR_TERMINATE);
+- if (l == -1) {
++ if (l == 0) {
+ return 0;
+ }
+ (*dst) += l;
+--
+2.0.0.526.g5318336
+
diff --git a/debian/patches/series b/debian/patches/series
index b4a50c5..819175b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -31,3 +31,4 @@ security-CVE-2012-6150.patch
security-CVE-2013-4496.patch
security-CVE-2014-0178.patch
security-CVE-2014-0244.patch
+security-CVE-2014-3493.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git
More information about the Pkg-samba-maint
mailing list