diff options
| author | Jeremy Allison <jra@samba.org> | 2010-09-09 15:43:07 +0200 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2010-09-15 21:02:03 +0200 |
| commit | 0c8ba5758a9c6f720260bd3bcbbb013936baa367 (patch) | |
| tree | b10366355a2a1a5181448739f4871bc5dd613071 /source/smbd/nttrans.c | |
| parent | 237fc6b80f4b281451e1c949018d92790f817f1f (diff) | |
| download | samba-0c8ba5758a9c6f720260bd3bcbbb013936baa367.tar.gz samba-0c8ba5758a9c6f720260bd3bcbbb013936baa367.tar.xz samba-0c8ba5758a9c6f720260bd3bcbbb013936baa367.zip | |
Fix bug #7669.
Fix bug #7669 (buffer overflow in sid_parse() in Samba3 and dom_sid_parse in
Samba4).
CVE-2010-3069:
===========
Description
===========
All current released versions of Samba are vulnerable to
a buffer overrun vulnerability. The sid_parse() function
(and related dom_sid_parse() function in the source4 code)
do not correctly check their input lengths when reading a
binary representation of a Windows SID (Security ID). This
allows a malicious client to send a sid that can overflow
the stack variable that is being used to store the SID in the
Samba smbd server.
A connection to a file share is needed to exploit this
vulnerability, either authenticated or unauthenticated
(guest connection).
(cherry picked from commit df1c76e2275068d1006e82a4a21d42b58175268b)
Diffstat (limited to 'source/smbd/nttrans.c')
| -rw-r--r-- | source/smbd/nttrans.c | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c index c392380b5ec..b610b1fd397 100644 --- a/source/smbd/nttrans.c +++ b/source/smbd/nttrans.c @@ -1950,7 +1950,11 @@ static void call_nt_transact_ioctl(connection_struct *conn, /* unknown 4 bytes: this is not the length of the sid :-( */ /*unknown = IVAL(pdata,0);*/ - sid_parse(pdata+4,sid_len,&sid); + if (!sid_parse(pdata+4,sid_len,&sid)) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + return; + } + DEBUGADD(10, ("for SID: %s\n", sid_string_dbg(&sid))); if (!sid_to_uid(&sid, &uid)) { @@ -2206,7 +2210,10 @@ static void call_nt_transact_get_user_quota(connection_struct *conn, break; } - sid_parse(pdata+8,sid_len,&sid); + if (!sid_parse(pdata+8,sid_len,&sid)) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + return; + } if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) { ZERO_STRUCT(qt); @@ -2387,7 +2394,11 @@ static void call_nt_transact_set_user_quota(connection_struct *conn, } #endif /* LARGE_SMB_OFF_T */ - sid_parse(pdata+40,sid_len,&sid); + if (!sid_parse(pdata+40,sid_len,&sid)) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + return; + } + DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid))); /* 44 unknown bytes left... */ |