Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 305534 Details for
Bug 446724
CVE-2008-1105 Samba client buffer overflow
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Proposed upstream patch for Samba 3.0
CVE-2008-1105_3.0.patch (text/plain), 5.08 KB, created by
Josh Bressers
on 2008-05-15 20:08:03 UTC
(
hide
)
Description:
Proposed upstream patch for Samba 3.0
Filename:
MIME Type:
Creator:
Josh Bressers
Created:
2008-05-15 20:08:03 UTC
Size:
5.08 KB
patch
obsolete
>diff -u -r source-orig/client/client.c source-fixed/client/client.c >--- source-orig/client/client.c 2008-05-15 09:28:36.000000000 -0700 >+++ source-fixed/client/client.c 2008-05-15 09:53:45.000000000 -0700 >@@ -3626,7 +3626,7 @@ > session keepalives and then drop them here. > */ > if (FD_ISSET(cli->fd,&fds)) { >- if (!receive_smb(cli->fd,cli->inbuf,0)) { >+ if (!receive_smb(cli->fd,cli->inbuf,cli->bufsize,0)) { > DEBUG(0, ("Read from server failed, maybe it closed the " > "connection\n")); > return; >diff -u -r source-orig/client/smbctool.c source-fixed/client/smbctool.c >--- source-orig/client/smbctool.c 2008-05-15 09:28:36.000000000 -0700 >+++ source-fixed/client/smbctool.c 2008-05-15 09:53:45.000000000 -0700 >@@ -3304,7 +3304,7 @@ > session keepalives and then drop them here. > */ > if (FD_ISSET(cli->fd,&fds)) { >- receive_smb(cli->fd,cli->inbuf,0); >+ receive_smb(cli->fd,cli->inbuf,cli->bufsize,0); > goto again; > } > >diff -u -r source-orig/lib/util_sock.c source-fixed/lib/util_sock.c >--- source-orig/lib/util_sock.c 2008-05-15 09:28:36.000000000 -0700 >+++ source-fixed/lib/util_sock.c 2008-05-15 09:53:45.000000000 -0700 >@@ -661,7 +661,7 @@ > Doesn't check the MAC on signed packets. > ****************************************************************************/ > >-BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout) >+BOOL receive_smb_raw(int fd, char *buffer, size_t buflen, unsigned int timeout) > { > ssize_t len,ret; > >@@ -682,25 +682,18 @@ > return False; > } > >- /* >- * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes >- * of header. Don't print the error if this fits.... JRA. >- */ >- >- if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) { >+ if (len > buflen) { > DEBUG(0,("Invalid packet length! (%lu bytes).\n",(unsigned long)len)); >- if (len > BUFFER_SIZE + (SAFETY_MARGIN/2)) { > >- /* >- * Correct fix. smb_read_error may have already been >- * set. Only set it here if not already set. Global >- * variables still suck :-). JRA. >- */ >+ /* >+ * smb_read_error may have already been >+ * set. Only set it here if not already set. Global >+ * variables still suck :-). JRA. >+ */ > >- if (smb_read_error == 0) >- smb_read_error = READ_ERROR; >- return False; >- } >+ if (smb_read_error == 0) >+ smb_read_error = READ_ERROR; >+ return False; > } > > if(len > 0) { >@@ -730,9 +723,9 @@ > Checks the MAC on signed packets. > ****************************************************************************/ > >-BOOL receive_smb(int fd, char *buffer, unsigned int timeout) >+BOOL receive_smb(int fd, char *buffer, size_t buflen, unsigned int timeout) > { >- if (!receive_smb_raw(fd, buffer, timeout)) { >+ if (!receive_smb_raw(fd, buffer, buflen, timeout)) { > return False; > } > >diff -u -r source-orig/libsmb/clientgen.c source-fixed/libsmb/clientgen.c >--- source-orig/libsmb/clientgen.c 2008-05-15 09:28:37.000000000 -0700 >+++ source-fixed/libsmb/clientgen.c 2008-05-15 09:53:45.000000000 -0700 >@@ -44,8 +44,7 @@ > } > > /**************************************************************************** >- Read an smb from a fd ignoring all keepalive packets. Note that the buffer >- *MUST* be of size BUFFER_SIZE+SAFETY_MARGIN. >+ Read an smb from a fd ignoring all keepalive packets. > The timeout is in milliseconds > > This is exactly the same as receive_smb except that it never returns >@@ -54,12 +53,12 @@ > should never go into a blocking read. > ****************************************************************************/ > >-static BOOL client_receive_smb(int fd,char *buffer, unsigned int timeout) >+static BOOL client_receive_smb(int fd,char *buffer, size_t bufsize, unsigned int timeout) > { > BOOL ret; > > for(;;) { >- ret = receive_smb_raw(fd, buffer, timeout); >+ ret = receive_smb_raw(fd, buffer, bufsize, timeout); > > if (!ret) { > DEBUG(10,("client_receive_smb failed\n")); >@@ -88,7 +87,7 @@ > return False; > > again: >- ret = client_receive_smb(cli->fd,cli->inbuf,cli->timeout); >+ ret = client_receive_smb(cli->fd,cli->inbuf, cli->bufsize, cli->timeout); > > if (ret) { > /* it might be an oplock break request */ >diff -u -r source-orig/smbd/process.c source-fixed/smbd/process.c >--- source-orig/smbd/process.c 2008-05-15 09:28:36.000000000 -0700 >+++ source-fixed/smbd/process.c 2008-05-15 09:53:45.000000000 -0700 >@@ -521,7 +521,8 @@ > goto again; > } > >- return receive_smb(smbd_server_fd(), buffer, 0); >+ return receive_smb(smbd_server_fd(), buffer, >+ BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE, 0); > } > > /* >diff -u -r source-orig/utils/smbfilter.c source-fixed/utils/smbfilter.c >--- source-orig/utils/smbfilter.c 2008-05-15 09:28:36.000000000 -0700 >+++ source-fixed/utils/smbfilter.c 2008-05-15 09:53:45.000000000 -0700 >@@ -140,7 +140,7 @@ > if (num <= 0) continue; > > if (c != -1 && FD_ISSET(c, &fds)) { >- if (!receive_smb(c, packet, 0)) { >+ if (!receive_smb(c, packet, BUFFER_SIZE, 0)) { > d_printf("client closed connection\n"); > exit(0); > } >@@ -151,7 +151,7 @@ > } > } > if (s != -1 && FD_ISSET(s, &fds)) { >- if (!receive_smb(s, packet, 0)) { >+ if (!receive_smb(s, packet, BUFFER_SIZE, 0)) { > d_printf("server closed connection\n"); > exit(0); > }
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 446724
:
305534
|
305636