rpms/samba/FC-6 samba-3.0.24-CVE-2007-4572-regression.patch, 1.1, 1.2 samba.spec, 1.81, 1.82
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Dec 4 16:43:17 UTC 2007
Author: ssorce
Update of /cvs/dist/rpms/samba/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv19155
Modified Files:
samba-3.0.24-CVE-2007-4572-regression.patch samba.spec
Log Message:
Fix a regression into the patch for the previous regression :/
samba-3.0.24-CVE-2007-4572-regression.patch:
negprot.c | 2 +-
reply.c | 8 ++++----
sesssetup.c | 6 +++---
srvstr.c | 13 +++----------
trans2.c | 48 ++++++++++++++++++++++++++----------------------
5 files changed, 37 insertions(+), 40 deletions(-)
Index: samba-3.0.24-CVE-2007-4572-regression.patch
===================================================================
RCS file: /cvs/dist/rpms/samba/FC-6/samba-3.0.24-CVE-2007-4572-regression.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- samba-3.0.24-CVE-2007-4572-regression.patch 19 Nov 2007 20:38:48 -0000 1.1
+++ samba-3.0.24-CVE-2007-4572-regression.patch 4 Dec 2007 16:43:14 -0000 1.2
@@ -1,7 +1,7 @@
-diff -ur samba-3.0.24.orig/source/smbd/negprot.c samba-3.0.24/source/smbd/negprot.c
---- samba-3.0.24.orig/source/smbd/negprot.c 2007-11-18 13:20:17.000000000 -0500
-+++ samba-3.0.24/source/smbd/negprot.c 2007-11-18 13:20:32.000000000 -0500
-@@ -357,7 +357,7 @@
+diff -upr samba-3.0.24.orig/source/smbd/negprot.c samba-3.0.24/source/smbd/negprot.c
+--- samba-3.0.24.orig/source/smbd/negprot.c 2007-12-04 11:29:12.000000000 -0500
++++ samba-3.0.24/source/smbd/negprot.c 2007-12-04 11:29:49.000000000 -0500
+@@ -357,7 +357,7 @@ static int reply_nt1(char *inbuf, char *
SCVAL(outbuf,smb_vwv16+1,8);
p += 8;
}
@@ -10,10 +10,10 @@
STR_UNICODE|STR_TERMINATE|STR_NOALIGN);
DEBUG(3,("not using SPNEGO\n"));
} else {
-diff -ur samba-3.0.24.orig/source/smbd/reply.c samba-3.0.24/source/smbd/reply.c
---- samba-3.0.24.orig/source/smbd/reply.c 2007-11-18 13:20:17.000000000 -0500
-+++ samba-3.0.24/source/smbd/reply.c 2007-11-18 13:20:32.000000000 -0500
-@@ -686,7 +686,7 @@
+diff -upr samba-3.0.24.orig/source/smbd/reply.c samba-3.0.24/source/smbd/reply.c
+--- samba-3.0.24.orig/source/smbd/reply.c 2007-12-04 11:29:12.000000000 -0500
++++ samba-3.0.24/source/smbd/reply.c 2007-12-04 11:29:49.000000000 -0500
+@@ -686,7 +686,7 @@ int reply_tcon_and_X(connection_struct *
if (Protocol < PROTOCOL_NT1) {
set_message(outbuf,2,0,True);
p = smb_buf(outbuf);
@@ -22,7 +22,7 @@
STR_TERMINATE|STR_ASCII);
set_message_end(outbuf,p);
} else {
-@@ -696,9 +696,9 @@
+@@ -696,9 +696,9 @@ int reply_tcon_and_X(connection_struct *
set_message(outbuf,3,0,True);
p = smb_buf(outbuf);
@@ -34,7 +34,7 @@
STR_TERMINATE);
set_message_end(outbuf,p);
-@@ -1794,7 +1794,7 @@
+@@ -1794,7 +1794,7 @@ int reply_ctemp(connection_struct *conn,
thing in the byte section. JRA */
SSVALS(p, 0, -1); /* what is this? not in spec */
#endif
@@ -43,10 +43,26 @@
p += namelen;
outsize = set_message_end(outbuf, p);
-diff -ur samba-3.0.24.orig/source/smbd/srvstr.c samba-3.0.24/source/smbd/srvstr.c
---- samba-3.0.24.orig/source/smbd/srvstr.c 2007-11-18 13:20:17.000000000 -0500
-+++ samba-3.0.24/source/smbd/srvstr.c 2007-11-18 13:20:32.000000000 -0500
-@@ -28,17 +28,10 @@
+diff -upr samba-3.0.24.orig/source/smbd/sesssetup.c samba-3.0.24/source/smbd/sesssetup.c
+--- samba-3.0.24.orig/source/smbd/sesssetup.c 2007-12-04 11:29:12.000000000 -0500
++++ samba-3.0.24/source/smbd/sesssetup.c 2007-12-04 11:29:49.000000000 -0500
+@@ -62,9 +62,9 @@ static int add_signature(char *outbuf, c
+
+ fstr_sprintf( lanman, "Samba %s", SAMBA_VERSION_STRING);
+
+- p += srvstr_push(outbuf, p, "Unix", -1, STR_TERMINATE);
+- p += srvstr_push(outbuf, p, lanman, -1, STR_TERMINATE);
+- p += srvstr_push(outbuf, p, lp_workgroup(), -1, STR_TERMINATE);
++ p += srvstr_push(outbuf, p, "Unix", BUFFER_SIZE - (p - outbuf), STR_TERMINATE);
++ p += srvstr_push(outbuf, p, lanman, BUFFER_SIZE - (p - outbuf), STR_TERMINATE);
++ p += srvstr_push(outbuf, p, lp_workgroup(), BUFFER_SIZE - (p - outbuf), STR_TERMINATE);
+
+ return PTR_DIFF(p, start);
+ }
+diff -upr samba-3.0.24.orig/source/smbd/srvstr.c samba-3.0.24/source/smbd/srvstr.c
+--- samba-3.0.24.orig/source/smbd/srvstr.c 2007-12-04 11:29:12.000000000 -0500
++++ samba-3.0.24/source/smbd/srvstr.c 2007-12-04 11:29:49.000000000 -0500
+@@ -28,17 +28,10 @@ size_t srvstr_push_fn(const char *functi
const char *base_ptr, void *dest,
const char *src, int dest_len, int flags)
{
@@ -67,28 +83,37 @@
/* 'normal' push into size-specified buffer */
return push_string_fn(function, line, base_ptr, dest, src, dest_len, flags);
}
-diff -ur samba-3.0.24.orig/source/smbd/trans2.c samba-3.0.24/source/smbd/trans2.c
---- samba-3.0.24.orig/source/smbd/trans2.c 2007-11-18 13:20:17.000000000 -0500
-+++ samba-3.0.24/source/smbd/trans2.c 2007-11-18 13:26:03.000000000 -0500
-@@ -1225,7 +1225,7 @@
+diff -upr samba-3.0.24.orig/source/smbd/trans2.c samba-3.0.24/source/smbd/trans2.c
+--- samba-3.0.24.orig/source/smbd/trans2.c 2007-12-04 11:29:12.000000000 -0500
++++ samba-3.0.24/source/smbd/trans2.c 2007-12-04 11:34:05.000000000 -0500
+@@ -1047,7 +1047,7 @@ static BOOL get_lanman2_dir_entry(connec
+ char *path_mask,uint32 dirtype,int info_level,
+ int requires_resume_key,
+ BOOL dont_descend,char **ppdata,
+- char *base_data, int space_remaining,
++ char *base_data, char *end_data, int space_remaining,
+ BOOL *out_of_space, BOOL *got_exact_match,
+ int *last_entry_off, struct ea_list *name_list, TALLOC_CTX *ea_ctx)
+ {
+@@ -1225,7 +1225,7 @@ static BOOL get_lanman2_dir_entry(connec
p += 23;
nameptr = p;
p += align_string(outbuf, p, 0);
- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE);
-+ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE);
++ len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE);
if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) {
if (len > 2) {
SCVAL(nameptr, -1, len - 2);
-@@ -1260,7 +1260,7 @@
+@@ -1260,7 +1260,7 @@ static BOOL get_lanman2_dir_entry(connec
}
p += 27;
nameptr = p - 1;
- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE | STR_NOALIGN);
-+ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE | STR_NOALIGN);
++ len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE | STR_NOALIGN);
if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) {
if (len > 2) {
len -= 2;
-@@ -1314,9 +1314,9 @@
+@@ -1314,9 +1314,9 @@ static BOOL get_lanman2_dir_entry(connec
}
/* Push the ea_data followed by the name. */
@@ -96,65 +121,65 @@
+ p += fill_ea_buffer(ea_ctx, p, space_remaining - (p - pdata), conn, name_list);
nameptr = p;
- len = srvstr_push(outbuf, p + 1, fname, -1, STR_TERMINATE | STR_NOALIGN);
-+ len = srvstr_push(outbuf, p + 1, fname, space_remaining - (p - pdata), STR_TERMINATE | STR_NOALIGN);
++ len = srvstr_push(outbuf, p + 1, fname, PTR_DIFF(end_data, p+1), STR_TERMINATE | STR_NOALIGN);
if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) {
if (len > 2) {
len -= 2;
-@@ -1372,7 +1372,7 @@
+@@ -1372,7 +1372,7 @@ static BOOL get_lanman2_dir_entry(connec
memset(p,'\0',26);
}
p += 2 + 24;
- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
-+ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
++ len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE_ASCII);
SIVAL(q,0,len);
p += len;
SIVAL(p,0,0); /* Ensure any padding is null. */
-@@ -1393,7 +1393,7 @@
+@@ -1393,7 +1393,7 @@ static BOOL get_lanman2_dir_entry(connec
SOFF_T(p,0,file_size); p += 8;
SOFF_T(p,0,allocation_size); p += 8;
SIVAL(p,0,nt_extmode); p += 4;
- len = srvstr_push(outbuf, p + 4, fname, -1, STR_TERMINATE_ASCII);
-+ len = srvstr_push(outbuf, p + 4, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
++ len = srvstr_push(outbuf, p + 4, fname, PTR_DIFF(end_data, p+4), STR_TERMINATE_ASCII);
SIVAL(p,0,len);
p += 4 + len;
SIVAL(p,0,0); /* Ensure any padding is null. */
-@@ -1420,7 +1420,7 @@
+@@ -1420,7 +1420,7 @@ static BOOL get_lanman2_dir_entry(connec
SIVAL(p,0,ea_size); /* Extended attributes */
p +=4;
}
- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
-+ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
++ len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE_ASCII);
SIVAL(q, 0, len);
p += len;
-@@ -1438,7 +1438,7 @@
+@@ -1438,7 +1438,7 @@ static BOOL get_lanman2_dir_entry(connec
p += 4;
/* this must *not* be null terminated or w2k gets in a loop trying to set an
acl on a dir (tridge) */
- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
-+ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
++ len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE_ASCII);
SIVAL(p, -4, len);
p += len;
SIVAL(p,0,0); /* Ensure any padding is null. */
-@@ -1468,7 +1468,7 @@
+@@ -1468,7 +1468,7 @@ static BOOL get_lanman2_dir_entry(connec
SIVAL(p,0,0); p += 4; /* Unknown - reserved ? */
SIVAL(p,0,sbuf.st_ino); p += 4; /* FileIndexLow */
SIVAL(p,0,sbuf.st_dev); p += 4; /* FileIndexHigh */
- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
-+ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
++ len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE_ASCII);
SIVAL(q, 0, len);
p += len;
SIVAL(p,0,0); /* Ensure any padding is null. */
-@@ -1518,7 +1518,7 @@
+@@ -1518,7 +1518,7 @@ static BOOL get_lanman2_dir_entry(connec
SSVAL(p,0,0); p += 2; /* Reserved ? */
SIVAL(p,0,sbuf.st_ino); p += 4; /* FileIndexLow */
SIVAL(p,0,sbuf.st_dev); p += 4; /* FileIndexHigh */
- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
-+ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
++ len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE_ASCII);
SIVAL(q,0,len);
p += len;
SIVAL(p,0,0); /* Ensure any padding is null. */
-@@ -1577,7 +1577,7 @@
+@@ -1577,7 +1577,7 @@ static BOOL get_lanman2_dir_entry(connec
SIVAL(p,4,0);
p+= 8;
@@ -163,7 +188,57 @@
p += len;
SIVAL(p,0,0); /* Ensure any padding is null. */
-@@ -2229,7 +2229,7 @@
+@@ -1625,6 +1625,7 @@ static int call_trans2findfirst(connecti
+ requested. */
+ char *params = *pparams;
+ char *pdata = *ppdata;
++ char *data_end;
+ uint32 dirtype = SVAL(params,0);
+ int maxentries = SVAL(params,2);
+ uint16 findfirst_flags = SVAL(params,4);
+@@ -1754,6 +1755,7 @@ total_data=%u (should be %u)\n", (unsign
+ return ERROR_NT(NT_STATUS_NO_MEMORY);
+ }
+ pdata = *ppdata;
++ data_end = pdata + max_data_bytes + DIR_ENTRY_SAFETY_MARGIN - 1;
+
+ /* Realloc the params space */
+ *pparams = SMB_REALLOC(*pparams, 10);
+@@ -1798,7 +1800,7 @@ total_data=%u (should be %u)\n", (unsign
+ inbuf, outbuf,
+ mask,dirtype,info_level,
+ requires_resume_key,dont_descend,
+- &p,pdata,space_remaining, &out_of_space, &got_exact_match,
++ &p,pdata,data_end,space_remaining, &out_of_space, &got_exact_match,
+ &last_entry_off, ea_list, ea_ctx);
+ }
+
+@@ -1892,6 +1894,7 @@ static int call_trans2findnext(connectio
+ requested. */
+ char *params = *pparams;
+ char *pdata = *ppdata;
++ char *data_end;
+ int dptr_num = SVAL(params,0);
+ int maxentries = SVAL(params,2);
+ uint16 info_level = SVAL(params,4);
+@@ -2006,6 +2009,7 @@ total_data=%u (should be %u)\n", (unsign
+ }
+
+ pdata = *ppdata;
++ data_end = pdata + max_data_bytes + DIR_ENTRY_SAFETY_MARGIN - 1;
+
+ /* Realloc the params space */
+ *pparams = SMB_REALLOC(*pparams, 6*SIZEOFWORD);
+@@ -2097,7 +2101,7 @@ total_data=%u (should be %u)\n", (unsign
+ inbuf, outbuf,
+ mask,dirtype,info_level,
+ requires_resume_key,dont_descend,
+- &p,pdata,space_remaining, &out_of_space, &got_exact_match,
++ &p,pdata,data_end,space_remaining, &out_of_space, &got_exact_match,
+ &last_entry_off, ea_list, ea_ctx);
+ }
+
+@@ -2229,7 +2233,7 @@ cBytesSector=%u, cUnitTotal=%u, cUnitAva
* this call so try fixing this by adding a terminating null to
* the pushed string. The change here was adding the STR_TERMINATE. JRA.
*/
@@ -172,7 +247,7 @@
SCVAL(pdata,l2_vol_cch,len);
data_len = l2_vol_szVolLabel + len;
DEBUG(5,("call_trans2qfsinfo : time = %x, namelen = %d, name = %s\n",
-@@ -2251,14 +2251,14 @@
+@@ -2251,14 +2255,14 @@ cBytesSector=%u, cUnitTotal=%u, cUnitAva
SIVAL(pdata,4,255); /* Max filename component length */
/* NOTE! the fstype must *not* be null terminated or win98 won't recognise it
and will think we can't do long filenames */
@@ -189,7 +264,7 @@
data_len = 4 + len;
SIVAL(pdata,0,len);
break;
-@@ -2273,7 +2273,7 @@
+@@ -2273,7 +2277,7 @@ cBytesSector=%u, cUnitTotal=%u, cUnitAva
SIVAL(pdata,8,str_checksum(lp_servicename(snum)) ^
(str_checksum(get_local_machine_name())<<16));
@@ -198,7 +273,7 @@
SIVAL(pdata,12,len);
data_len = 18+len;
DEBUG(5,("call_trans2qfsinfo : SMB_QUERY_FS_VOLUME_INFO namelen = %d, vol=%s serv=%s\n",
-@@ -3232,7 +3232,7 @@
+@@ -3232,7 +3236,7 @@ total_data=%u (should be %u)\n", (unsign
if(!mangle_is_8_3(short_name, True, SNUM(conn))) {
mangle_map(short_name,True,True,SNUM(conn));
}
@@ -207,7 +282,7 @@
data_size = 4 + len;
SIVAL(pdata,0,len);
break;
-@@ -3242,7 +3242,7 @@
+@@ -3242,7 +3246,7 @@ total_data=%u (should be %u)\n", (unsign
/*
this must be *exactly* right for ACLs on mapped drives to work
*/
@@ -216,7 +291,7 @@
DEBUG(10,("call_trans2qfilepathinfo: SMB_QUERY_FILE_NAME_INFO\n"));
data_size = 4 + len;
SIVAL(pdata,0,len);
-@@ -3283,7 +3283,7 @@
+@@ -3283,7 +3287,7 @@ total_data=%u (should be %u)\n", (unsign
pdata += 24;
SIVAL(pdata,0,ea_size);
pdata += 4; /* EA info */
@@ -225,7 +300,7 @@
SIVAL(pdata,0,len);
pdata += 4 + len;
data_size = PTR_DIFF(pdata,(*ppdata));
-@@ -3472,7 +3472,7 @@
+@@ -3472,7 +3476,7 @@ total_data=%u (should be %u)\n", (unsign
if (len == -1)
return(UNIXERROR(ERRDOS,ERRnoaccess));
buffer[len] = 0;
@@ -234,19 +309,3 @@
pdata += len;
data_size = PTR_DIFF(pdata,(*ppdata));
-diff -ur samba-3.0.24.orig/source/smbd/sesssetup.c samba-3.0.24/source/smbd/sesssetup.c
---- samba-3.0.24.orig/source/smbd/sesssetup.c 2007-11-19 14:58:31.000000000 -0500
-+++ samba-3.0.24/source/smbd/sesssetup.c 2007-11-19 15:23:32.000000000 -0500
-@@ -62,9 +62,9 @@
-
- fstr_sprintf( lanman, "Samba %s", SAMBA_VERSION_STRING);
-
-- p += srvstr_push(outbuf, p, "Unix", -1, STR_TERMINATE);
-- p += srvstr_push(outbuf, p, lanman, -1, STR_TERMINATE);
-- p += srvstr_push(outbuf, p, lp_workgroup(), -1, STR_TERMINATE);
-+ p += srvstr_push(outbuf, p, "Unix", BUFFER_SIZE - (p - outbuf), STR_TERMINATE);
-+ p += srvstr_push(outbuf, p, lanman, BUFFER_SIZE - (p - outbuf), STR_TERMINATE);
-+ p += srvstr_push(outbuf, p, lp_workgroup(), BUFFER_SIZE - (p - outbuf), STR_TERMINATE);
-
- return PTR_DIFF(p, start);
- }
Index: samba.spec
===================================================================
RCS file: /cvs/dist/rpms/samba/FC-6/samba.spec,v
retrieving revision 1.81
retrieving revision 1.82
diff -u -r1.81 -r1.82
--- samba.spec 19 Nov 2007 20:38:48 -0000 1.81
+++ samba.spec 4 Dec 2007 16:43:14 -0000 1.82
@@ -3,7 +3,7 @@
Summary: The Samba SMB server.
Name: samba
Version: 3.0.24
-Release: 9%{?dist}
+Release: 10%{?dist}
Epoch: 0
License: GNU GPL Version 2
Group: System Environment/Daemons
@@ -478,6 +478,10 @@
%{_mandir}/man7/libsmbclient.7*
%changelog
+* Tue Dec 3 2007 Simo Sorce <ssorce at redhat.com> 3.0.24-10.fc6
+- The fix for the regression intorduced by CVE-2007-4572 was
+ not complete, updated the patch with more fixes
+
* Mon Nov 19 2007 Simo Sorce <ssorce at redhat.com> 3.0.24-9.fc6
- Fix regression intorduced by CVE-2007-4572
More information about the fedora-cvs-commits
mailing list