[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/samba/FC-6 samba-3.0.24-CVE-2007-4572-regression.patch, 1.1, 1.2 samba.spec, 1.81, 1.82



Author: ssorce

Update of /cvs/dist/rpms/samba/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv19155

Modified Files:
	samba-3.0.24-CVE-2007-4572-regression.patch samba.spec 
Log Message:
Fix a regression into the patch for the previous regression :/


samba-3.0.24-CVE-2007-4572-regression.patch:
 negprot.c   |    2 +-
 reply.c     |    8 ++++----
 sesssetup.c |    6 +++---
 srvstr.c    |   13 +++----------
 trans2.c    |   48 ++++++++++++++++++++++++++----------------------
 5 files changed, 37 insertions(+), 40 deletions(-)

Index: samba-3.0.24-CVE-2007-4572-regression.patch
===================================================================
RCS file: /cvs/dist/rpms/samba/FC-6/samba-3.0.24-CVE-2007-4572-regression.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- samba-3.0.24-CVE-2007-4572-regression.patch	19 Nov 2007 20:38:48 -0000	1.1
+++ samba-3.0.24-CVE-2007-4572-regression.patch	4 Dec 2007 16:43:14 -0000	1.2
@@ -1,7 +1,7 @@
-diff -ur samba-3.0.24.orig/source/smbd/negprot.c samba-3.0.24/source/smbd/negprot.c
---- samba-3.0.24.orig/source/smbd/negprot.c	2007-11-18 13:20:17.000000000 -0500
-+++ samba-3.0.24/source/smbd/negprot.c	2007-11-18 13:20:32.000000000 -0500
-@@ -357,7 +357,7 @@
+diff -upr samba-3.0.24.orig/source/smbd/negprot.c samba-3.0.24/source/smbd/negprot.c
+--- samba-3.0.24.orig/source/smbd/negprot.c	2007-12-04 11:29:12.000000000 -0500
++++ samba-3.0.24/source/smbd/negprot.c	2007-12-04 11:29:49.000000000 -0500
+@@ -357,7 +357,7 @@ static int reply_nt1(char *inbuf, char *
  			SCVAL(outbuf,smb_vwv16+1,8);
  			p += 8;
  		}
@@ -10,10 +10,10 @@
  				 STR_UNICODE|STR_TERMINATE|STR_NOALIGN);
  		DEBUG(3,("not using SPNEGO\n"));
  	} else {
-diff -ur samba-3.0.24.orig/source/smbd/reply.c samba-3.0.24/source/smbd/reply.c
---- samba-3.0.24.orig/source/smbd/reply.c	2007-11-18 13:20:17.000000000 -0500
-+++ samba-3.0.24/source/smbd/reply.c	2007-11-18 13:20:32.000000000 -0500
-@@ -686,7 +686,7 @@
+diff -upr samba-3.0.24.orig/source/smbd/reply.c samba-3.0.24/source/smbd/reply.c
+--- samba-3.0.24.orig/source/smbd/reply.c	2007-12-04 11:29:12.000000000 -0500
++++ samba-3.0.24/source/smbd/reply.c	2007-12-04 11:29:49.000000000 -0500
+@@ -686,7 +686,7 @@ int reply_tcon_and_X(connection_struct *
  	if (Protocol < PROTOCOL_NT1) {
  		set_message(outbuf,2,0,True);
  		p = smb_buf(outbuf);
@@ -22,7 +22,7 @@
  				 STR_TERMINATE|STR_ASCII);
  		set_message_end(outbuf,p);
  	} else {
-@@ -696,9 +696,9 @@
+@@ -696,9 +696,9 @@ int reply_tcon_and_X(connection_struct *
  		set_message(outbuf,3,0,True);
  
  		p = smb_buf(outbuf);
@@ -34,7 +34,7 @@
  				 STR_TERMINATE);
  		
  		set_message_end(outbuf,p);
-@@ -1794,7 +1794,7 @@
+@@ -1794,7 +1794,7 @@ int reply_ctemp(connection_struct *conn,
  	   thing in the byte section. JRA */
  	SSVALS(p, 0, -1); /* what is this? not in spec */
  #endif
@@ -43,10 +43,26 @@
  	p += namelen;
  	outsize = set_message_end(outbuf, p);
  
-diff -ur samba-3.0.24.orig/source/smbd/srvstr.c samba-3.0.24/source/smbd/srvstr.c
---- samba-3.0.24.orig/source/smbd/srvstr.c	2007-11-18 13:20:17.000000000 -0500
-+++ samba-3.0.24/source/smbd/srvstr.c	2007-11-18 13:20:32.000000000 -0500
-@@ -28,17 +28,10 @@
+diff -upr samba-3.0.24.orig/source/smbd/sesssetup.c samba-3.0.24/source/smbd/sesssetup.c
+--- samba-3.0.24.orig/source/smbd/sesssetup.c	2007-12-04 11:29:12.000000000 -0500
++++ samba-3.0.24/source/smbd/sesssetup.c	2007-12-04 11:29:49.000000000 -0500
+@@ -62,9 +62,9 @@ static int add_signature(char *outbuf, c
+ 
+ 	fstr_sprintf( lanman, "Samba %s", SAMBA_VERSION_STRING);
+ 
+-	p += srvstr_push(outbuf, p, "Unix", -1, STR_TERMINATE);
+-	p += srvstr_push(outbuf, p, lanman, -1, STR_TERMINATE);
+-	p += srvstr_push(outbuf, p, lp_workgroup(), -1, STR_TERMINATE);
++	p += srvstr_push(outbuf, p, "Unix", BUFFER_SIZE - (p - outbuf), STR_TERMINATE);
++	p += srvstr_push(outbuf, p, lanman, BUFFER_SIZE - (p - outbuf), STR_TERMINATE);
++	p += srvstr_push(outbuf, p, lp_workgroup(), BUFFER_SIZE - (p - outbuf), STR_TERMINATE);
+ 
+ 	return PTR_DIFF(p, start);
+ }
+diff -upr samba-3.0.24.orig/source/smbd/srvstr.c samba-3.0.24/source/smbd/srvstr.c
+--- samba-3.0.24.orig/source/smbd/srvstr.c	2007-12-04 11:29:12.000000000 -0500
++++ samba-3.0.24/source/smbd/srvstr.c	2007-12-04 11:29:49.000000000 -0500
+@@ -28,17 +28,10 @@ size_t srvstr_push_fn(const char *functi
  		      const char *base_ptr, void *dest, 
  		      const char *src, int dest_len, int flags)
  {
@@ -67,28 +83,37 @@
  	/* 'normal' push into size-specified buffer */
  	return push_string_fn(function, line, base_ptr, dest, src, dest_len, flags);
  }
-diff -ur samba-3.0.24.orig/source/smbd/trans2.c samba-3.0.24/source/smbd/trans2.c
---- samba-3.0.24.orig/source/smbd/trans2.c	2007-11-18 13:20:17.000000000 -0500
-+++ samba-3.0.24/source/smbd/trans2.c	2007-11-18 13:26:03.000000000 -0500
-@@ -1225,7 +1225,7 @@
+diff -upr samba-3.0.24.orig/source/smbd/trans2.c samba-3.0.24/source/smbd/trans2.c
+--- samba-3.0.24.orig/source/smbd/trans2.c	2007-12-04 11:29:12.000000000 -0500
++++ samba-3.0.24/source/smbd/trans2.c	2007-12-04 11:34:05.000000000 -0500
+@@ -1047,7 +1047,7 @@ static BOOL get_lanman2_dir_entry(connec
+ 				 char *path_mask,uint32 dirtype,int info_level,
+ 				 int requires_resume_key,
+ 				 BOOL dont_descend,char **ppdata, 
+-				 char *base_data, int space_remaining, 
++				 char *base_data, char *end_data, int space_remaining, 
+ 				 BOOL *out_of_space, BOOL *got_exact_match,
+ 				 int *last_entry_off, struct ea_list *name_list, TALLOC_CTX *ea_ctx)
+ {
+@@ -1225,7 +1225,7 @@ static BOOL get_lanman2_dir_entry(connec
  			p += 23;
  			nameptr = p;
  			p += align_string(outbuf, p, 0);
 -			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE);
-+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE);
++			len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE);
  			if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) {
  				if (len > 2) {
  					SCVAL(nameptr, -1, len - 2);
-@@ -1260,7 +1260,7 @@
+@@ -1260,7 +1260,7 @@ static BOOL get_lanman2_dir_entry(connec
  			}
  			p += 27;
  			nameptr = p - 1;
 -			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE | STR_NOALIGN);
-+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE | STR_NOALIGN);
++			len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE | STR_NOALIGN);
  			if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) {
  				if (len > 2) {
  					len -= 2;
-@@ -1314,9 +1314,9 @@
+@@ -1314,9 +1314,9 @@ static BOOL get_lanman2_dir_entry(connec
  			}
  
  			/* Push the ea_data followed by the name. */
@@ -96,65 +121,65 @@
 +			p += fill_ea_buffer(ea_ctx, p, space_remaining - (p - pdata), conn, name_list);
  			nameptr = p;
 -			len = srvstr_push(outbuf, p + 1, fname, -1, STR_TERMINATE | STR_NOALIGN);
-+			len = srvstr_push(outbuf, p + 1, fname, space_remaining - (p - pdata), STR_TERMINATE | STR_NOALIGN);
++			len = srvstr_push(outbuf, p + 1, fname, PTR_DIFF(end_data, p+1), STR_TERMINATE | STR_NOALIGN);
  			if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) {
  				if (len > 2) {
  					len -= 2;
-@@ -1372,7 +1372,7 @@
+@@ -1372,7 +1372,7 @@ static BOOL get_lanman2_dir_entry(connec
  				memset(p,'\0',26);
  			}
  			p += 2 + 24;
 -			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
-+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
++			len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE_ASCII);
  			SIVAL(q,0,len);
  			p += len;
  			SIVAL(p,0,0); /* Ensure any padding is null. */
-@@ -1393,7 +1393,7 @@
+@@ -1393,7 +1393,7 @@ static BOOL get_lanman2_dir_entry(connec
  			SOFF_T(p,0,file_size); p += 8;
  			SOFF_T(p,0,allocation_size); p += 8;
  			SIVAL(p,0,nt_extmode); p += 4;
 -			len = srvstr_push(outbuf, p + 4, fname, -1, STR_TERMINATE_ASCII);
-+			len = srvstr_push(outbuf, p + 4, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
++			len = srvstr_push(outbuf, p + 4, fname, PTR_DIFF(end_data, p+4), STR_TERMINATE_ASCII);
  			SIVAL(p,0,len);
  			p += 4 + len;
  			SIVAL(p,0,0); /* Ensure any padding is null. */
-@@ -1420,7 +1420,7 @@
+@@ -1420,7 +1420,7 @@ static BOOL get_lanman2_dir_entry(connec
  				SIVAL(p,0,ea_size); /* Extended attributes */
  				p +=4;
  			}
 -			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
-+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
++			len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE_ASCII);
  			SIVAL(q, 0, len);
  			p += len;
  
-@@ -1438,7 +1438,7 @@
+@@ -1438,7 +1438,7 @@ static BOOL get_lanman2_dir_entry(connec
  			p += 4;
  			/* this must *not* be null terminated or w2k gets in a loop trying to set an
  			   acl on a dir (tridge) */
 -			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
-+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
++			len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE_ASCII);
  			SIVAL(p, -4, len);
  			p += len;
  			SIVAL(p,0,0); /* Ensure any padding is null. */
-@@ -1468,7 +1468,7 @@
+@@ -1468,7 +1468,7 @@ static BOOL get_lanman2_dir_entry(connec
  			SIVAL(p,0,0); p += 4; /* Unknown - reserved ? */
  			SIVAL(p,0,sbuf.st_ino); p += 4; /* FileIndexLow */
  			SIVAL(p,0,sbuf.st_dev); p += 4; /* FileIndexHigh */
 -			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
-+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
++			len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE_ASCII);
  			SIVAL(q, 0, len);
  			p += len; 
  			SIVAL(p,0,0); /* Ensure any padding is null. */
-@@ -1518,7 +1518,7 @@
+@@ -1518,7 +1518,7 @@ static BOOL get_lanman2_dir_entry(connec
  			SSVAL(p,0,0); p += 2; /* Reserved ? */
  			SIVAL(p,0,sbuf.st_ino); p += 4; /* FileIndexLow */
  			SIVAL(p,0,sbuf.st_dev); p += 4; /* FileIndexHigh */
 -			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
-+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
++			len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE_ASCII);
  			SIVAL(q,0,len);
  			p += len;
  			SIVAL(p,0,0); /* Ensure any padding is null. */
-@@ -1577,7 +1577,7 @@
+@@ -1577,7 +1577,7 @@ static BOOL get_lanman2_dir_entry(connec
  			SIVAL(p,4,0);
  			p+= 8;
  
@@ -163,7 +188,57 @@
  			p += len;
  			SIVAL(p,0,0); /* Ensure any padding is null. */
  
-@@ -2229,7 +2229,7 @@
+@@ -1625,6 +1625,7 @@ static int call_trans2findfirst(connecti
+ 		requested. */
+ 	char *params = *pparams;
+ 	char *pdata = *ppdata;
++ 	char *data_end;
+ 	uint32 dirtype = SVAL(params,0);
+ 	int maxentries = SVAL(params,2);
+ 	uint16 findfirst_flags = SVAL(params,4);
+@@ -1754,6 +1755,7 @@ total_data=%u (should be %u)\n", (unsign
+ 		return ERROR_NT(NT_STATUS_NO_MEMORY);
+ 	}
+ 	pdata = *ppdata;
++	data_end = pdata + max_data_bytes + DIR_ENTRY_SAFETY_MARGIN - 1;
+ 
+ 	/* Realloc the params space */
+ 	*pparams = SMB_REALLOC(*pparams, 10);
+@@ -1798,7 +1800,7 @@ total_data=%u (should be %u)\n", (unsign
+ 					inbuf, outbuf,
+ 					mask,dirtype,info_level,
+ 					requires_resume_key,dont_descend,
+-					&p,pdata,space_remaining, &out_of_space, &got_exact_match,
++					&p,pdata,data_end,space_remaining, &out_of_space, &got_exact_match,
+ 					&last_entry_off, ea_list, ea_ctx);
+ 		}
+ 
+@@ -1892,6 +1894,7 @@ static int call_trans2findnext(connectio
+ 		requested. */
+ 	char *params = *pparams;
+ 	char *pdata = *ppdata;
++ 	char *data_end;
+ 	int dptr_num = SVAL(params,0);
+ 	int maxentries = SVAL(params,2);
+ 	uint16 info_level = SVAL(params,4);
+@@ -2006,6 +2009,7 @@ total_data=%u (should be %u)\n", (unsign
+ 	}
+ 
+ 	pdata = *ppdata;
++	data_end = pdata + max_data_bytes + DIR_ENTRY_SAFETY_MARGIN - 1;
+ 
+ 	/* Realloc the params space */
+ 	*pparams = SMB_REALLOC(*pparams, 6*SIZEOFWORD);
+@@ -2097,7 +2101,7 @@ total_data=%u (should be %u)\n", (unsign
+ 						inbuf, outbuf,
+ 						mask,dirtype,info_level,
+ 						requires_resume_key,dont_descend,
+-						&p,pdata,space_remaining, &out_of_space, &got_exact_match,
++						&p,pdata,data_end,space_remaining, &out_of_space, &got_exact_match,
+ 						&last_entry_off, ea_list, ea_ctx);
+ 		}
+ 
+@@ -2229,7 +2233,7 @@ cBytesSector=%u, cUnitTotal=%u, cUnitAva
  			 * this call so try fixing this by adding a terminating null to
  			 * the pushed string. The change here was adding the STR_TERMINATE. JRA.
  			 */
@@ -172,7 +247,7 @@
  			SCVAL(pdata,l2_vol_cch,len);
  			data_len = l2_vol_szVolLabel + len;
  			DEBUG(5,("call_trans2qfsinfo : time = %x, namelen = %d, name = %s\n",
-@@ -2251,14 +2251,14 @@
+@@ -2251,14 +2255,14 @@ cBytesSector=%u, cUnitTotal=%u, cUnitAva
  			SIVAL(pdata,4,255); /* Max filename component length */
  			/* NOTE! the fstype must *not* be null terminated or win98 won't recognise it
  				and will think we can't do long filenames */
@@ -189,7 +264,7 @@
  			data_len = 4 + len;
  			SIVAL(pdata,0,len);
  			break;
-@@ -2273,7 +2273,7 @@
+@@ -2273,7 +2277,7 @@ cBytesSector=%u, cUnitTotal=%u, cUnitAva
  			SIVAL(pdata,8,str_checksum(lp_servicename(snum)) ^ 
  				(str_checksum(get_local_machine_name())<<16));
  
@@ -198,7 +273,7 @@
  			SIVAL(pdata,12,len);
  			data_len = 18+len;
  			DEBUG(5,("call_trans2qfsinfo : SMB_QUERY_FS_VOLUME_INFO namelen = %d, vol=%s serv=%s\n", 
-@@ -3232,7 +3232,7 @@
+@@ -3232,7 +3236,7 @@ total_data=%u (should be %u)\n", (unsign
  			if(!mangle_is_8_3(short_name, True, SNUM(conn))) {
  				mangle_map(short_name,True,True,SNUM(conn));
  			}
@@ -207,7 +282,7 @@
  			data_size = 4 + len;
  			SIVAL(pdata,0,len);
  			break;
-@@ -3242,7 +3242,7 @@
+@@ -3242,7 +3246,7 @@ total_data=%u (should be %u)\n", (unsign
  			/*
  			  this must be *exactly* right for ACLs on mapped drives to work
  			 */
@@ -216,7 +291,7 @@
  			DEBUG(10,("call_trans2qfilepathinfo: SMB_QUERY_FILE_NAME_INFO\n"));
  			data_size = 4 + len;
  			SIVAL(pdata,0,len);
-@@ -3283,7 +3283,7 @@
+@@ -3283,7 +3287,7 @@ total_data=%u (should be %u)\n", (unsign
  			pdata += 24;
  			SIVAL(pdata,0,ea_size);
  			pdata += 4; /* EA info */
@@ -225,7 +300,7 @@
  			SIVAL(pdata,0,len);
  			pdata += 4 + len;
  			data_size = PTR_DIFF(pdata,(*ppdata));
-@@ -3472,7 +3472,7 @@
+@@ -3472,7 +3476,7 @@ total_data=%u (should be %u)\n", (unsign
  				if (len == -1)
  					return(UNIXERROR(ERRDOS,ERRnoaccess));
  				buffer[len] = 0;
@@ -234,19 +309,3 @@
  				pdata += len;
  				data_size = PTR_DIFF(pdata,(*ppdata));
  
-diff -ur samba-3.0.24.orig/source/smbd/sesssetup.c samba-3.0.24/source/smbd/sesssetup.c
---- samba-3.0.24.orig/source/smbd/sesssetup.c	2007-11-19 14:58:31.000000000 -0500
-+++ samba-3.0.24/source/smbd/sesssetup.c	2007-11-19 15:23:32.000000000 -0500
-@@ -62,9 +62,9 @@
- 
- 	fstr_sprintf( lanman, "Samba %s", SAMBA_VERSION_STRING);
- 
--	p += srvstr_push(outbuf, p, "Unix", -1, STR_TERMINATE);
--	p += srvstr_push(outbuf, p, lanman, -1, STR_TERMINATE);
--	p += srvstr_push(outbuf, p, lp_workgroup(), -1, STR_TERMINATE);
-+	p += srvstr_push(outbuf, p, "Unix", BUFFER_SIZE - (p - outbuf), STR_TERMINATE);
-+	p += srvstr_push(outbuf, p, lanman, BUFFER_SIZE - (p - outbuf), STR_TERMINATE);
-+	p += srvstr_push(outbuf, p, lp_workgroup(), BUFFER_SIZE - (p - outbuf), STR_TERMINATE);
- 
- 	return PTR_DIFF(p, start);
- }


Index: samba.spec
===================================================================
RCS file: /cvs/dist/rpms/samba/FC-6/samba.spec,v
retrieving revision 1.81
retrieving revision 1.82
diff -u -r1.81 -r1.82
--- samba.spec	19 Nov 2007 20:38:48 -0000	1.81
+++ samba.spec	4 Dec 2007 16:43:14 -0000	1.82
@@ -3,7 +3,7 @@
 Summary: The Samba SMB server.
 Name: samba
 Version: 3.0.24
-Release: 9%{?dist}
+Release: 10%{?dist}
 Epoch: 0
 License: GNU GPL Version 2
 Group: System Environment/Daemons
@@ -478,6 +478,10 @@
 %{_mandir}/man7/libsmbclient.7*
 
 %changelog
+* Tue Dec 3 2007 Simo Sorce <ssorce redhat com> 3.0.24-10.fc6
+- The fix for the regression intorduced by CVE-2007-4572 was
+  not complete, updated the patch with more fixes
+
 * Mon Nov 19 2007 Simo Sorce <ssorce redhat com> 3.0.24-9.fc6
 - Fix regression intorduced by CVE-2007-4572
 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]