diff options
| author | Jeremy Allison <jra@samba.org> | 2010-06-11 12:57:25 +0200 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2010-06-11 12:57:25 +0200 |
| commit | 86ab436a0da958914f99dc8b7e88b10db4692d98 (patch) | |
| tree | ee21cfffee6252b6315ec2b62e2b045fb0f6cd36 | |
| parent | 007f9c90e952aeea2d8f73cff3ccd0f747a9c06e (diff) | |
| download | samba-86ab436a0da958914f99dc8b7e88b10db4692d98.tar.gz samba-86ab436a0da958914f99dc8b7e88b10db4692d98.tar.xz samba-86ab436a0da958914f99dc8b7e88b10db4692d98.zip | |
s3-smbd: Fix memory corruption vulnerability.
Fix bug #7494 (Buffer overrun possible in chain_reply code in 3.3.x and below.)
and address CVE-2010-2063.
| -rw-r--r-- | source/smbd/process.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/source/smbd/process.c b/source/smbd/process.c index 446b868de2f..403c7c65772 100644 --- a/source/smbd/process.c +++ b/source/smbd/process.c @@ -1645,6 +1645,7 @@ void construct_reply_common(const char *inbuf, char *outbuf) void chain_reply(struct smb_request *req) { static char *orig_inbuf; + static int orig_size; /* * Dirty little const_discard: We mess with req->inbuf, which is @@ -1679,13 +1680,24 @@ void chain_reply(struct smb_request *req) if (chain_size == 0) { /* this is the first part of the chain */ orig_inbuf = inbuf; + orig_size = size; } + /* Validate smb_off2 */ + if ((smb_off2 < smb_wct - 4) || orig_size < (smb_off2 + 4 - smb_wct)) { + exit_server_cleanly("Bad chained packet"); + return; + } /* * We need to save the output the caller added to the chain so that we * can splice it into the final output buffer later. */ + if (outsize <= smb_wct) { + exit_server_cleanly("Bad chained packet"); + return; + } + caller_outputlen = outsize - smb_wct; caller_output = (char *)memdup(outbuf + smb_wct, caller_outputlen); |