[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]
rpms/samba/FC-6 samba-3.0.24-CVE-2007-4572-regression.patch, NONE, 1.1 samba.spec, 1.80, 1.81

From: fedora-cvs-commits redhat com
To: fedora-cvs-commits redhat com
Subject: rpms/samba/FC-6 samba-3.0.24-CVE-2007-4572-regression.patch, NONE, 1.1 samba.spec, 1.80, 1.81
Date: Mon, 19 Nov 2007 15:38:50 -0500
Author: ssorce

Update of /cvs/dist/rpms/samba/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv21609

Modified Files:
	samba.spec 
Added Files:
	samba-3.0.24-CVE-2007-4572-regression.patch 
Log Message:
* Mon Nov 19 2007 Simo Sorce <ssorce redhat com> 3.0.24-9.fc6
- Fix regression intorduced by CVE-2007-4572


samba-3.0.24-CVE-2007-4572-regression.patch:
 negprot.c   |    2 +-
 reply.c     |    8 ++++----
 sesssetup.c |    6 +++---
 srvstr.c    |   13 +++----------
 trans2.c    |   38 +++++++++++++++++++-------------------
 5 files changed, 30 insertions(+), 37 deletions(-)

--- NEW FILE samba-3.0.24-CVE-2007-4572-regression.patch ---
diff -ur samba-3.0.24.orig/source/smbd/negprot.c samba-3.0.24/source/smbd/negprot.c
--- samba-3.0.24.orig/source/smbd/negprot.c	2007-11-18 13:20:17.000000000 -0500
+++ samba-3.0.24/source/smbd/negprot.c	2007-11-18 13:20:32.000000000 -0500
@@ -357,7 +357,7 @@
 			SCVAL(outbuf,smb_vwv16+1,8);
 			p += 8;
 		}
-		p += srvstr_push(outbuf, p, lp_workgroup(), -1, 
+		p += srvstr_push(outbuf, p, lp_workgroup(), BUFFER_SIZE - (p-outbuf), 
 				 STR_UNICODE|STR_TERMINATE|STR_NOALIGN);
 		DEBUG(3,("not using SPNEGO\n"));
 	} else {
diff -ur samba-3.0.24.orig/source/smbd/reply.c samba-3.0.24/source/smbd/reply.c
--- samba-3.0.24.orig/source/smbd/reply.c	2007-11-18 13:20:17.000000000 -0500
+++ samba-3.0.24/source/smbd/reply.c	2007-11-18 13:20:32.000000000 -0500
@@ -686,7 +686,7 @@
 	if (Protocol < PROTOCOL_NT1) {
 		set_message(outbuf,2,0,True);
 		p = smb_buf(outbuf);
-		p += srvstr_push(outbuf, p, server_devicetype, -1, 
+		p += srvstr_push(outbuf, p, server_devicetype, BUFFER_SIZE - (p - outbuf),
 				 STR_TERMINATE|STR_ASCII);
 		set_message_end(outbuf,p);
 	} else {
@@ -696,9 +696,9 @@
 		set_message(outbuf,3,0,True);
 
 		p = smb_buf(outbuf);
-		p += srvstr_push(outbuf, p, server_devicetype, -1, 
+		p += srvstr_push(outbuf, p, server_devicetype, BUFFER_SIZE - (p - outbuf),
 				 STR_TERMINATE|STR_ASCII);
-		p += srvstr_push(outbuf, p, fstype, -1, 
+		p += srvstr_push(outbuf, p, fstype, BUFFER_SIZE - (p - outbuf),
 				 STR_TERMINATE);
 		
 		set_message_end(outbuf,p);
@@ -1794,7 +1794,7 @@
 	   thing in the byte section. JRA */
 	SSVALS(p, 0, -1); /* what is this? not in spec */
 #endif
-	namelen = srvstr_push(outbuf, p, s, -1, STR_ASCII|STR_TERMINATE);
+	namelen = srvstr_push(outbuf, p, s, BUFFER_SIZE - (p - outbuf), STR_ASCII|STR_TERMINATE);
 	p += namelen;
 	outsize = set_message_end(outbuf, p);
 
diff -ur samba-3.0.24.orig/source/smbd/srvstr.c samba-3.0.24/source/smbd/srvstr.c
--- samba-3.0.24.orig/source/smbd/srvstr.c	2007-11-18 13:20:17.000000000 -0500
+++ samba-3.0.24/source/smbd/srvstr.c	2007-11-18 13:20:32.000000000 -0500
@@ -28,17 +28,10 @@
 		      const char *base_ptr, void *dest, 
 		      const char *src, int dest_len, int flags)
 {
-	size_t buf_used = PTR_DIFF(dest, base_ptr);
-	if (dest_len == -1) {
-		if (((ptrdiff_t)dest < (ptrdiff_t)base_ptr) || (buf_used > (size_t)max_send)) {
-#if 0
-			DEBUG(0, ("Pushing string of 'unlimited' length into non-SMB buffer!\n"));
-#endif
-			return push_string_fn(function, line, base_ptr, dest, src, -1, flags);
-		}
-		return push_string_fn(function, line, base_ptr, dest, src, max_send - buf_used, flags);
+	if (dest_len < 0) {
+		return 0;
 	}
-	
+
 	/* 'normal' push into size-specified buffer */
 	return push_string_fn(function, line, base_ptr, dest, src, dest_len, flags);
 }
diff -ur samba-3.0.24.orig/source/smbd/trans2.c samba-3.0.24/source/smbd/trans2.c
--- samba-3.0.24.orig/source/smbd/trans2.c	2007-11-18 13:20:17.000000000 -0500
+++ samba-3.0.24/source/smbd/trans2.c	2007-11-18 13:26:03.000000000 -0500
@@ -1225,7 +1225,7 @@
 			p += 23;
 			nameptr = p;
 			p += align_string(outbuf, p, 0);
-			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE);
+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE);
 			if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) {
 				if (len > 2) {
 					SCVAL(nameptr, -1, len - 2);
@@ -1260,7 +1260,7 @@
 			}
 			p += 27;
 			nameptr = p - 1;
-			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE | STR_NOALIGN);
+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE | STR_NOALIGN);
 			if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) {
 				if (len > 2) {
 					len -= 2;
@@ -1314,9 +1314,9 @@
 			}
 
 			/* Push the ea_data followed by the name. */
-			p += fill_ea_buffer(ea_ctx, p, space_remaining, conn, name_list);
+			p += fill_ea_buffer(ea_ctx, p, space_remaining - (p - pdata), conn, name_list);
 			nameptr = p;
-			len = srvstr_push(outbuf, p + 1, fname, -1, STR_TERMINATE | STR_NOALIGN);
+			len = srvstr_push(outbuf, p + 1, fname, space_remaining - (p - pdata), STR_TERMINATE | STR_NOALIGN);
 			if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) {
 				if (len > 2) {
 					len -= 2;
@@ -1372,7 +1372,7 @@
 				memset(p,'\0',26);
 			}
 			p += 2 + 24;
-			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
 			SIVAL(q,0,len);
 			p += len;
 			SIVAL(p,0,0); /* Ensure any padding is null. */
@@ -1393,7 +1393,7 @@
 			SOFF_T(p,0,file_size); p += 8;
 			SOFF_T(p,0,allocation_size); p += 8;
 			SIVAL(p,0,nt_extmode); p += 4;
-			len = srvstr_push(outbuf, p + 4, fname, -1, STR_TERMINATE_ASCII);
+			len = srvstr_push(outbuf, p + 4, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
 			SIVAL(p,0,len);
 			p += 4 + len;
 			SIVAL(p,0,0); /* Ensure any padding is null. */
@@ -1420,7 +1420,7 @@
 				SIVAL(p,0,ea_size); /* Extended attributes */
 				p +=4;
 			}
-			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
 			SIVAL(q, 0, len);
 			p += len;
 
@@ -1438,7 +1438,7 @@
 			p += 4;
 			/* this must *not* be null terminated or w2k gets in a loop trying to set an
 			   acl on a dir (tridge) */
-			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
 			SIVAL(p, -4, len);
 			p += len;
 			SIVAL(p,0,0); /* Ensure any padding is null. */
@@ -1468,7 +1468,7 @@
 			SIVAL(p,0,0); p += 4; /* Unknown - reserved ? */
 			SIVAL(p,0,sbuf.st_ino); p += 4; /* FileIndexLow */
 			SIVAL(p,0,sbuf.st_dev); p += 4; /* FileIndexHigh */
-			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
 			SIVAL(q, 0, len);
 			p += len; 
 			SIVAL(p,0,0); /* Ensure any padding is null. */
@@ -1518,7 +1518,7 @@
 			SSVAL(p,0,0); p += 2; /* Reserved ? */
 			SIVAL(p,0,sbuf.st_ino); p += 4; /* FileIndexLow */
 			SIVAL(p,0,sbuf.st_dev); p += 4; /* FileIndexHigh */
-			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
 			SIVAL(q,0,len);
 			p += len;
 			SIVAL(p,0,0); /* Ensure any padding is null. */
@@ -1577,7 +1577,7 @@
 			SIVAL(p,4,0);
 			p+= 8;
 
-			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE);
+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE);
 			p += len;
 			SIVAL(p,0,0); /* Ensure any padding is null. */
 
@@ -2229,7 +2229,7 @@
 			 * this call so try fixing this by adding a terminating null to
 			 * the pushed string. The change here was adding the STR_TERMINATE. JRA.
 			 */
-			len = srvstr_push(outbuf, pdata+l2_vol_szVolLabel, vname, -1, STR_NOALIGN|STR_TERMINATE);
+			len = srvstr_push(outbuf, pdata+l2_vol_szVolLabel, vname, max_data_bytes - l2_vol_szVolLabel, STR_NOALIGN|STR_TERMINATE);
 			SCVAL(pdata,l2_vol_cch,len);
 			data_len = l2_vol_szVolLabel + len;
 			DEBUG(5,("call_trans2qfsinfo : time = %x, namelen = %d, name = %s\n",
@@ -2251,14 +2251,14 @@
 			SIVAL(pdata,4,255); /* Max filename component length */
 			/* NOTE! the fstype must *not* be null terminated or win98 won't recognise it
 				and will think we can't do long filenames */
-			len = srvstr_push(outbuf, pdata+12, fstype, -1, STR_UNICODE);
+			len = srvstr_push(outbuf, pdata+12, fstype, max_data_bytes - 12, STR_UNICODE);
 			SIVAL(pdata,8,len);
 			data_len = 12 + len;
 			break;
 
 		case SMB_QUERY_FS_LABEL_INFO:
 		case SMB_FS_LABEL_INFORMATION:
-			len = srvstr_push(outbuf, pdata+4, vname, -1, 0);
+			len = srvstr_push(outbuf, pdata+4, vname, max_data_bytes - 4, 0);
 			data_len = 4 + len;
 			SIVAL(pdata,0,len);
 			break;
@@ -2273,7 +2273,7 @@
 			SIVAL(pdata,8,str_checksum(lp_servicename(snum)) ^ 
 				(str_checksum(get_local_machine_name())<<16));
 
-			len = srvstr_push(outbuf, pdata+18, vname, -1, STR_UNICODE);
+			len = srvstr_push(outbuf, pdata+18, vname, max_data_bytes - 18, STR_UNICODE);
 			SIVAL(pdata,12,len);
 			data_len = 18+len;
 			DEBUG(5,("call_trans2qfsinfo : SMB_QUERY_FS_VOLUME_INFO namelen = %d, vol=%s serv=%s\n", 
@@ -3232,7 +3232,7 @@
 			if(!mangle_is_8_3(short_name, True, SNUM(conn))) {
 				mangle_map(short_name,True,True,SNUM(conn));
 			}
-			len = srvstr_push(outbuf, pdata+4, short_name, -1, STR_UNICODE);
+			len = srvstr_push(outbuf, pdata+4, short_name, max_data_bytes - 4, STR_UNICODE);
 			data_size = 4 + len;
 			SIVAL(pdata,0,len);
 			break;
@@ -3242,7 +3242,7 @@
 			/*
 			  this must be *exactly* right for ACLs on mapped drives to work
 			 */
-			len = srvstr_push(outbuf, pdata+4, dos_fname, -1, STR_UNICODE);
+			len = srvstr_push(outbuf, pdata+4, dos_fname, max_data_bytes - 4, STR_UNICODE);
 			DEBUG(10,("call_trans2qfilepathinfo: SMB_QUERY_FILE_NAME_INFO\n"));
 			data_size = 4 + len;
 			SIVAL(pdata,0,len);
@@ -3283,7 +3283,7 @@
 			pdata += 24;
 			SIVAL(pdata,0,ea_size);
 			pdata += 4; /* EA info */
-			len = srvstr_push(outbuf, pdata+4, dos_fname, -1, STR_UNICODE);
+			len = srvstr_push(outbuf, pdata+4, dos_fname, max_data_bytes - (pdata+4 - *ppdata), STR_UNICODE);
 			SIVAL(pdata,0,len);
 			pdata += 4 + len;
 			data_size = PTR_DIFF(pdata,(*ppdata));
@@ -3472,7 +3472,7 @@
 				if (len == -1)
 					return(UNIXERROR(ERRDOS,ERRnoaccess));
 				buffer[len] = 0;
-				len = srvstr_push(outbuf, pdata, buffer, -1, STR_TERMINATE);
+				len = srvstr_push(outbuf, pdata, buffer, max_data_bytes, STR_TERMINATE);
 				pdata += len;
 				data_size = PTR_DIFF(pdata,(*ppdata));
 
diff -ur samba-3.0.24.orig/source/smbd/sesssetup.c samba-3.0.24/source/smbd/sesssetup.c
--- samba-3.0.24.orig/source/smbd/sesssetup.c	2007-11-19 14:58:31.000000000 -0500
+++ samba-3.0.24/source/smbd/sesssetup.c	2007-11-19 15:23:32.000000000 -0500
@@ -62,9 +62,9 @@
 
 	fstr_sprintf( lanman, "Samba %s", SAMBA_VERSION_STRING);
 
-	p += srvstr_push(outbuf, p, "Unix", -1, STR_TERMINATE);
-	p += srvstr_push(outbuf, p, lanman, -1, STR_TERMINATE);
-	p += srvstr_push(outbuf, p, lp_workgroup(), -1, STR_TERMINATE);
+	p += srvstr_push(outbuf, p, "Unix", BUFFER_SIZE - (p - outbuf), STR_TERMINATE);
+	p += srvstr_push(outbuf, p, lanman, BUFFER_SIZE - (p - outbuf), STR_TERMINATE);
+	p += srvstr_push(outbuf, p, lp_workgroup(), BUFFER_SIZE - (p - outbuf), STR_TERMINATE);
 
 	return PTR_DIFF(p, start);
 }


Index: samba.spec
===================================================================
RCS file: /cvs/dist/rpms/samba/FC-6/samba.spec,v
retrieving revision 1.80
retrieving revision 1.81
diff -u -r1.80 -r1.81
--- samba.spec	15 Nov 2007 16:22:20 -0000	1.80
+++ samba.spec	19 Nov 2007 20:38:48 -0000	1.81
@@ -3,7 +3,7 @@
 Summary: The Samba SMB server.
 Name: samba
 Version: 3.0.24
-Release: 8%{?dist}
+Release: 9%{?dist}
 Epoch: 0
 License: GNU GPL Version 2
 Group: System Environment/Daemons
@@ -59,6 +59,7 @@
 Patch126: samba-3.0.24-force_group_fix.patch
 Patch127: samba-3.0.24-CVE-2007-4572.patch
 Patch128: samba-CVE-2007-5398.patch
+Patch129: samba-3.0.24-CVE-2007-4572-regression.patch
 
 Requires: pam >= 0:0.64 %{auth} samba-common = %{epoch}:%{version}-%{release}
 Requires: logrotate >= 0:3.4 initscripts >= 0:5.54-1 
@@ -156,6 +157,7 @@
 %patch126 -p0 -b .force_group
 %patch127 -p1 -b .CVE-2007-4572
 %patch128 -p1 -b .2007-5398
+%patch129 -p1 -b .CVE-2007-4572-regression
 
 # crap
 rm -f examples/VFS/.cvsignore
@@ -476,6 +478,9 @@
 %{_mandir}/man7/libsmbclient.7*
 
 %changelog
+* Mon Nov 19 2007 Simo Sorce <ssorce redhat com> 3.0.24-9.fc6
+- Fix regression intorduced by CVE-2007-4572
+
 * Thu Nov 15 2007 Simo Sorce <ssorce redhat com> 3.0.24-8.fc6
 - Fix CVE-2007-4572
 - Fix CVE-2007-5398
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]