diff options
Diffstat (limited to 'package/network/services/samba36/patches/031-CVE-2017-12163-v3.6.patch')
-rw-r--r-- | package/network/services/samba36/patches/031-CVE-2017-12163-v3.6.patch | 136 |
1 files changed, 136 insertions, 0 deletions
diff --git a/package/network/services/samba36/patches/031-CVE-2017-12163-v3.6.patch b/package/network/services/samba36/patches/031-CVE-2017-12163-v3.6.patch new file mode 100644 index 0000000000..d7faa1388d --- /dev/null +++ b/package/network/services/samba36/patches/031-CVE-2017-12163-v3.6.patch @@ -0,0 +1,136 @@ +From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org> +Date: Wed, 20 Sep 2017 20:02:03 +0200 +Subject: CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from + writing server memory to file. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020 + +Author: Jeremy Allison <jra@samba.org> +Signed-off-by: Jeremy Allison <jra@samba.org> +Signed-off-by: Stefan Metzmacher <metze@samba.org> +--- + source3/smbd/reply.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 50 insertions(+) + +--- a/source3/smbd/reply.c ++++ b/source3/smbd/reply.c +@@ -3979,6 +3979,9 @@ void reply_writebraw(struct smb_request + } + + /* Ensure we don't write bytes past the end of this packet. */ ++ /* ++ * This already protects us against CVE-2017-12163. ++ */ + if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + error_to_writebrawerr(req); +@@ -4080,6 +4083,11 @@ void reply_writebraw(struct smb_request + exit_server_cleanly("secondary writebraw failed"); + } + ++ /* ++ * We are not vulnerable to CVE-2017-12163 ++ * here as we are guarenteed to have numtowrite ++ * bytes available - we just read from the client. ++ */ + nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite); + if (nwritten == -1) { + TALLOC_FREE(buf); +@@ -4161,6 +4169,7 @@ void reply_writeunlock(struct smb_reques + connection_struct *conn = req->conn; + ssize_t nwritten = -1; + size_t numtowrite; ++ size_t remaining; + SMB_OFF_T startpos; + const char *data; + NTSTATUS status = NT_STATUS_OK; +@@ -4193,6 +4202,17 @@ void reply_writeunlock(struct smb_reques + startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0); + data = (const char *)req->buf + 3; + ++ /* ++ * Ensure client isn't asking us to write more than ++ * they sent. CVE-2017-12163. ++ */ ++ remaining = smbreq_bufrem(req, data); ++ if (numtowrite > remaining) { ++ reply_nterror(req, NT_STATUS_INVALID_PARAMETER); ++ END_PROFILE(SMBwriteunlock); ++ return; ++ } ++ + if (!fsp->print_file && numtowrite > 0) { + init_strict_lock_struct(fsp, (uint64_t)req->smbpid, + (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK, +@@ -4274,6 +4294,7 @@ void reply_write(struct smb_request *req + { + connection_struct *conn = req->conn; + size_t numtowrite; ++ size_t remaining; + ssize_t nwritten = -1; + SMB_OFF_T startpos; + const char *data; +@@ -4314,6 +4335,17 @@ void reply_write(struct smb_request *req + startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0); + data = (const char *)req->buf + 3; + ++ /* ++ * Ensure client isn't asking us to write more than ++ * they sent. CVE-2017-12163. ++ */ ++ remaining = smbreq_bufrem(req, data); ++ if (numtowrite > remaining) { ++ reply_nterror(req, NT_STATUS_INVALID_PARAMETER); ++ END_PROFILE(SMBwrite); ++ return; ++ } ++ + if (!fsp->print_file) { + init_strict_lock_struct(fsp, (uint64_t)req->smbpid, + (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK, +@@ -4525,6 +4557,9 @@ void reply_write_and_X(struct smb_reques + return; + } + } else { ++ /* ++ * This already protects us against CVE-2017-12163. ++ */ + if (smb_doff > smblen || smb_doff + numtowrite < numtowrite || + smb_doff + numtowrite > smblen) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); +@@ -4894,6 +4929,7 @@ void reply_writeclose(struct smb_request + { + connection_struct *conn = req->conn; + size_t numtowrite; ++ size_t remaining; + ssize_t nwritten = -1; + NTSTATUS close_status = NT_STATUS_OK; + SMB_OFF_T startpos; +@@ -4927,6 +4963,17 @@ void reply_writeclose(struct smb_request + mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4)); + data = (const char *)req->buf + 1; + ++ /* ++ * Ensure client isn't asking us to write more than ++ * they sent. CVE-2017-12163. ++ */ ++ remaining = smbreq_bufrem(req, data); ++ if (numtowrite > remaining) { ++ reply_nterror(req, NT_STATUS_INVALID_PARAMETER); ++ END_PROFILE(SMBwriteclose); ++ return; ++ } ++ + if (!fsp->print_file) { + init_strict_lock_struct(fsp, (uint64_t)req->smbpid, + (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK, +@@ -5497,6 +5544,9 @@ void reply_printwrite(struct smb_request + + numtowrite = SVAL(req->buf, 1); + ++ /* ++ * This already protects us against CVE-2017-12163. ++ */ + if (req->buflen < numtowrite + 3) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBsplwr); |