From df1c76e2275068d1006e82a4a21d42b58175268b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 9 Sep 2010 15:43:07 +0200 Subject: Fix bug #7669. Fix bug #7669 (buffer overflow in sid_parse() in Samba3 and dom_sid_parse in Samba4). CVE-2010-3069: =========== Description =========== All current released versions of Samba are vulnerable to a buffer overrun vulnerability. The sid_parse() function (and related dom_sid_parse() function in the source4 code) do not correctly check their input lengths when reading a binary representation of a Windows SID (Security ID). This allows a malicious client to send a sid that can overflow the stack variable that is being used to store the SID in the Samba smbd server. A connection to a file share is needed to exploit this vulnerability, either authenticated or unauthenticated (guest connection). --- source/lib/util_sid.c | 3 +++ source/libads/ldap.c | 4 +++- source/libsmb/cliquota.c | 4 +++- source/smbd/nttrans.c | 17 ++++++++++++++--- 4 files changed, 23 insertions(+), 5 deletions(-) diff --git a/source/lib/util_sid.c b/source/lib/util_sid.c index f656bb13dc8..aa49b860d03 100644 --- a/source/lib/util_sid.c +++ b/source/lib/util_sid.c @@ -408,6 +408,9 @@ bool sid_parse(const char *inbuf, size_t len, DOM_SID *sid) sid->sid_rev_num = CVAL(inbuf, 0); sid->num_auths = CVAL(inbuf, 1); + if (sid->num_auths > MAXSUBAUTHS) { + return false; + } memcpy(sid->id_auth, inbuf+2, 6); if (len < 8 + sid->num_auths*4) return False; diff --git a/source/libads/ldap.c b/source/libads/ldap.c index d9598e5dd83..f426996968f 100644 --- a/source/libads/ldap.c +++ b/source/libads/ldap.c @@ -2139,7 +2139,9 @@ static void dump_sid(ADS_STRUCT *ads, const char *field, struct berval **values) for (i=0; values[i]; i++) { DOM_SID sid; fstring tmp; - sid_parse(values[i]->bv_val, values[i]->bv_len, &sid); + if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) { + continue; + } printf("%s: %s\n", field, sid_to_fstring(tmp, &sid)); } } diff --git a/source/libsmb/cliquota.c b/source/libsmb/cliquota.c index dcdfec241d9..47739f04a07 100644 --- a/source/libsmb/cliquota.c +++ b/source/libsmb/cliquota.c @@ -117,7 +117,9 @@ static bool parse_user_quota_record(const char *rdata, unsigned int rdata_count, } #endif /* LARGE_SMB_OFF_T */ - sid_parse(rdata+40,sid_len,&qt.sid); + if (!sid_parse(rdata+40,sid_len,&qt.sid)) { + return false; + } qt.qtype = SMB_USER_QUOTA_TYPE; diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c index c392380b5ec..b610b1fd397 100644 --- a/source/smbd/nttrans.c +++ b/source/smbd/nttrans.c @@ -1950,7 +1950,11 @@ static void call_nt_transact_ioctl(connection_struct *conn, /* unknown 4 bytes: this is not the length of the sid :-( */ /*unknown = IVAL(pdata,0);*/ - sid_parse(pdata+4,sid_len,&sid); + if (!sid_parse(pdata+4,sid_len,&sid)) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + return; + } + DEBUGADD(10, ("for SID: %s\n", sid_string_dbg(&sid))); if (!sid_to_uid(&sid, &uid)) { @@ -2206,7 +2210,10 @@ static void call_nt_transact_get_user_quota(connection_struct *conn, break; } - sid_parse(pdata+8,sid_len,&sid); + if (!sid_parse(pdata+8,sid_len,&sid)) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + return; + } if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) { ZERO_STRUCT(qt); @@ -2387,7 +2394,11 @@ static void call_nt_transact_set_user_quota(connection_struct *conn, } #endif /* LARGE_SMB_OFF_T */ - sid_parse(pdata+40,sid_len,&sid); + if (!sid_parse(pdata+40,sid_len,&sid)) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + return; + } + DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid))); /* 44 unknown bytes left... */ -- cgit