projects / vuplus_openvuplus_3.0 / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
fix typo.
[vuplus_openvuplus_3.0] / meta-openvuplus / recipes-base / samba / samba-3.0.37 / samba-3.0-CVE-2012-0870.patch
1 From f781c9c693462b89b60a3662d2a1224c9387a725 Mon Sep 17 00:00:00 2001
2 From: Volker Lendecke <vl@samba.org>
3 Date: Fri, 10 Feb 2012 08:10:39 +0100
4 Subject: [PATCH 1/2] v3-3: AndX offsets are increasing strictly monotonically
5
6 ---
7  source/smbd/process.c |   10 +++++++++-
8  1 files changed, 9 insertions(+), 1 deletions(-)
9
10 diff --git source/smbd/process.c source/smbd/process.c
11 index e861e16..f64e1ce 100644
12 --- source/smbd/process.c
13 +++ source/smbd/process.c
14 @@ -1160,7 +1160,7 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize)
15         static char *orig_inbuf;
16         static char *orig_outbuf;
17         int smb_com1, smb_com2 = CVAL(inbuf,smb_vwv0);
18 -       unsigned smb_off2 = SVAL(inbuf,smb_vwv1);
19 +       static unsigned smb_off2;
20         char *inbuf2, *outbuf2;
21         int outsize2;
22         int new_size;
23 @@ -1178,8 +1178,16 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize)
24                 /* this is the first part of the chain */
25                 orig_inbuf = inbuf;
26                 orig_outbuf = outbuf;
27 +               smb_off2 = 0;
28         }
29  
30 +       if (SVAL(inbuf,smb_vwv1) <= smb_off2) {
31 +               DEBUG(1, ("AndX offset not increasing\n"));
32 +               SCVAL(outbuf, smb_vwv0, 0xFF);
33 +               return outsize;
34 +       }
35 +       smb_off2 = SVAL(inbuf, smb_vwv1);
36 +
37         /*
38          * The original Win95 redirector dies on a reply to
39          * a lockingX and read chain unless the chain reply is
40 -- 
41 1.7.3.4
42
43
44 From 009bb0be7383777a650a3bc6af1c0d3ab7476ebc Mon Sep 17 00:00:00 2001
45 From: Volker Lendecke <vl@samba.org>
46 Date: Fri, 10 Feb 2012 08:39:33 +0100
47 Subject: [PATCH 2/2] v3-0-test: Port back some packet consistency checks
48
49 ---
50  source/smbd/process.c |   18 ++++++++++++++++++
51  1 files changed, 18 insertions(+), 0 deletions(-)
52
53 diff --git source/smbd/process.c source/smbd/process.c
54 index f64e1ce..8aabef8 100644
55 --- source/smbd/process.c
56 +++ source/smbd/process.c
57 @@ -1025,6 +1025,7 @@ static int construct_reply(char *inbuf,char *outbuf,int size,int bufsize)
58         int outsize = 0;
59         int msg_type = CVAL(inbuf,0);
60         uint16_t mid = SVAL(inbuf, smb_mid);
61 +       uint8_t wct = CVAL(inbuf, smb_wct);
62  
63         chain_size = 0;
64         file_chain_reset();
65 @@ -1033,6 +1034,23 @@ static int construct_reply(char *inbuf,char *outbuf,int size,int bufsize)
66         if (msg_type != 0)
67                 return(reply_special(inbuf,outbuf));  
68  
69 +       /* Ensure we have at least wct words and 2 bytes of bcc. */
70 +       if (smb_size + wct*2 > size) {
71 +               DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n",
72 +                       (unsigned int)wct,
73 +                       (unsigned int)size));
74 +               exit_server_cleanly("Invalid SMB request");
75 +       }
76 +       /* Ensure bcc is correct. */
77 +       if (((uint8 *)smb_buf(inbuf)) + smb_buflen(inbuf) > inbuf + size) {
78 +               DEBUG(0,("init_smb_request: invalid bcc number %u "
79 +                       "(wct = %u, size %u)\n",
80 +                       (unsigned int)smb_buflen(inbuf),
81 +                       (unsigned int)wct,
82 +                       (unsigned int)size));
83 +               exit_server_cleanly("Invalid SMB request");
84 +       }
85 +
86         construct_reply_common(inbuf, outbuf);
87  
88         outsize = switch_message(type,inbuf,outbuf,size,bufsize);
89 -- 
90 1.7.3.4
91
openvuplus 3.0 repository.