From: =?utf-8?q?Guido_G=C3=BCnther?= Date: Wed, 20 Sep 2017 20:02:03 +0200 Subject: CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020 Author: Jeremy Allison Signed-off-by: Jeremy Allison Signed-off-by: Stefan Metzmacher --- source3/smbd/reply.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -3979,6 +3979,9 @@ void reply_writebraw(struct smb_request } /* Ensure we don't write bytes past the end of this packet. */ + /* + * This already protects us against CVE-2017-12163. + */ if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) { reply_nterror(req, NT_STATUS_INVALID_PARAMETER); error_to_writebrawerr(req); @@ -4080,6 +4083,11 @@ void reply_writebraw(struct smb_request exit_server_cleanly("secondary writebraw failed"); } + /* + * We are not vulnerable to CVE-2017-12163 + * here as we are guarenteed to have numtowrite + * bytes available - we just read from the client. + */ nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite); if (nwritten == -1) { TALLOC_FREE(buf); @@ -4161,6 +4169,7 @@ void reply_writeunlock(struct smb_reques connection_struct *conn = req->conn; ssize_t nwritten = -1; size_t numtowrite; + size_t remaining; SMB_OFF_T startpos; const char *data; NTSTATUS status = NT_STATUS_OK; @@ -4193,6 +4202,17 @@ void reply_writeunlock(struct smb_reques startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0); data = (const char *)req->buf + 3; + /* + * Ensure client isn't asking us to write more than + * they sent. CVE-2017-12163. + */ + remaining = smbreq_bufrem(req, data); + if (numtowrite > remaining) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBwriteunlock); + return; + } + if (!fsp->print_file && numtowrite > 0) { init_strict_lock_struct(fsp, (uint64_t)req->smbpid, (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK, @@ -4274,6 +4294,7 @@ void reply_write(struct smb_request *req { connection_struct *conn = req->conn; size_t numtowrite; + size_t remaining; ssize_t nwritten = -1; SMB_OFF_T startpos; const char *data; @@ -4314,6 +4335,17 @@ void reply_write(struct smb_request *req startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0); data = (const char *)req->buf + 3; + /* + * Ensure client isn't asking us to write more than + * they sent. CVE-2017-12163. + */ + remaining = smbreq_bufrem(req, data); + if (numtowrite > remaining) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBwrite); + return; + } + if (!fsp->print_file) { init_strict_lock_struct(fsp, (uint64_t)req->smbpid, (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK, @@ -4525,6 +4557,9 @@ void reply_write_and_X(struct smb_reques return; } } else { + /* + * This already protects us against CVE-2017-12163. + */ if (smb_doff > smblen || smb_doff + numtowrite < numtowrite || smb_doff + numtowrite > smblen) { reply_nterror(req, NT_STATUS_INVALID_PARAMETER); @@ -4894,6 +4929,7 @@ void reply_writeclose(struct smb_request { connection_struct *conn = req->conn; size_t numtowrite; + size_t remaining; ssize_t nwritten = -1; NTSTATUS close_status = NT_STATUS_OK; SMB_OFF_T startpos; @@ -4927,6 +4963,17 @@ void reply_writeclose(struct smb_request mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4)); data = (const char *)req->buf + 1; + /* + * Ensure client isn't asking us to write more than + * they sent. CVE-2017-12163. + */ + remaining = smbreq_bufrem(req, data); + if (numtowrite > remaining) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBwriteclose); + return; + } + if (!fsp->print_file) { init_strict_lock_struct(fsp, (uint64_t)req->smbpid, (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK, @@ -5497,6 +5544,9 @@ void reply_printwrite(struct smb_request numtowrite = SVAL(req->buf, 1); + /* + * This already protects us against CVE-2017-12163. + */ if (req->buflen < numtowrite + 3) { reply_nterror(req, NT_STATUS_INVALID_PARAMETER); END_PROFILE(SMBsplwr);