From f36cd948f0006d177ff67ab5bb2636d32493ce28 Mon Sep 17 00:00:00 2001 From: Samba Release Account Date: Wed, 15 Sep 2004 20:55:31 +0000 Subject: r2356: commit the changes from the 3.0.7 release that were held back until the security announcement --- WHATSNEW.txt | 6 ++++++ source/libsmb/asn1.c | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 73720d1f9c9..5223fa2513b 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -11,6 +11,8 @@ details on exact updates. Common bugs fixed in 3.0.7 include: + o Fixes for two Denial of Service vulnerabalities + (CVE ID# CAN-2004-0807 & CAN-2004-0808). o Winbind failure to return user entries under certain conditions. o Syntax errors in the OpenLDAP schema file (samba.schema). @@ -40,6 +42,10 @@ o Jeremy Allison * More paranoia checks in the hash2 mangling code. * Fix syntax error in configure.in. * Match Win2k3's behavior for pathname parsing error returns. + * Make nmbd more robust against bad netbios packets + (CAN-2004-0808). + * Add more checks for invalid ASN.1 packets for SPNEGO packets + (CAN-2004-0807). o Andrew Bartlett diff --git a/source/libsmb/asn1.c b/source/libsmb/asn1.c index ca14f3fbb71..2807b4e1d3e 100644 --- a/source/libsmb/asn1.c +++ b/source/libsmb/asn1.c @@ -219,6 +219,9 @@ BOOL asn1_load(ASN1_DATA *data, DATA_BLOB blob) /* read from a ASN1 buffer, advancing the buffer pointer */ BOOL asn1_read(ASN1_DATA *data, void *p, int len) { + if (data->has_error) + return False; + if (len < 0 || data->ofs + len < data->ofs || data->ofs + len < len) { data->has_error = True; return False; @@ -309,6 +312,9 @@ BOOL asn1_end_tag(ASN1_DATA *data) /* work out how many bytes are left in this nested tag */ int asn1_tag_remaining(ASN1_DATA *data) { + if (data->has_error) + return 0; + if (!data->nesting) { data->has_error = True; return -1; -- cgit