Attachment 305534 Details for Bug 446724 – Proposed upstream patch for Samba 3.0

[patch] Proposed upstream patch for Samba 3.0

CVE-2008-1105_3.0.patch (text/plain), 5.08 KB, created by Josh Bressers on 2008-05-15 20:08:03 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Josh Bressers

Created: 2008-05-15 20:08:03 UTC

Size: 5.08 KB

patch

obsolete

>diff -u -r source-orig/client/client.c source-fixed/client/client.c
>--- source-orig/client/client.c	2008-05-15 09:28:36.000000000 -0700
>+++ source-fixed/client/client.c	2008-05-15 09:53:45.000000000 -0700
>@@ -3626,7 +3626,7 @@
> 	   session keepalives and then drop them here.
> 	*/
> 	if (FD_ISSET(cli->fd,&fds)) {
>-		if (!receive_smb(cli->fd,cli->inbuf,0)) {
>+		if (!receive_smb(cli->fd,cli->inbuf,cli->bufsize,0)) {
> 			DEBUG(0, ("Read from server failed, maybe it closed the "
> 				"connection\n"));
> 			return;
>diff -u -r source-orig/client/smbctool.c source-fixed/client/smbctool.c
>--- source-orig/client/smbctool.c	2008-05-15 09:28:36.000000000 -0700
>+++ source-fixed/client/smbctool.c	2008-05-15 09:53:45.000000000 -0700
>@@ -3304,7 +3304,7 @@
> 	   session keepalives and then drop them here.
> 	*/
> 	if (FD_ISSET(cli->fd,&fds)) {
>-		receive_smb(cli->fd,cli->inbuf,0);
>+		receive_smb(cli->fd,cli->inbuf,cli->bufsize,0);
> 		goto again;
> 	}
> 	  
>diff -u -r source-orig/lib/util_sock.c source-fixed/lib/util_sock.c
>--- source-orig/lib/util_sock.c	2008-05-15 09:28:36.000000000 -0700
>+++ source-fixed/lib/util_sock.c	2008-05-15 09:53:45.000000000 -0700
>@@ -661,7 +661,7 @@
>  Doesn't check the MAC on signed packets.
> ****************************************************************************/
> 
>-BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout)
>+BOOL receive_smb_raw(int fd, char *buffer, size_t buflen, unsigned int timeout)
> {
> 	ssize_t len,ret;
> 
>@@ -682,25 +682,18 @@
> 		return False;
> 	}
> 
>-	/*
>-	 * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
>-	 * of header. Don't print the error if this fits.... JRA.
>-	 */
>-
>-	if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
>+	if (len > buflen) {
> 		DEBUG(0,("Invalid packet length! (%lu bytes).\n",(unsigned long)len));
>-		if (len > BUFFER_SIZE + (SAFETY_MARGIN/2)) {
> 
>-			/*
>-			 * Correct fix. smb_read_error may have already been
>-			 * set. Only set it here if not already set. Global
>-			 * variables still suck :-). JRA.
>-			 */
>+		/*
>+		 * smb_read_error may have already been
>+		 * set. Only set it here if not already set. Global
>+		 * variables still suck :-). JRA.
>+		 */
> 
>-			if (smb_read_error == 0)
>-				smb_read_error = READ_ERROR;
>-			return False;
>-		}
>+		if (smb_read_error == 0)
>+			smb_read_error = READ_ERROR;
>+		return False;
> 	}
> 
> 	if(len > 0) {
>@@ -730,9 +723,9 @@
>  Checks the MAC on signed packets.
> ****************************************************************************/
> 
>-BOOL receive_smb(int fd, char *buffer, unsigned int timeout)
>+BOOL receive_smb(int fd, char *buffer, size_t buflen, unsigned int timeout)
> {
>-	if (!receive_smb_raw(fd, buffer, timeout)) {
>+	if (!receive_smb_raw(fd, buffer, buflen, timeout)) {
> 		return False;
> 	}
> 
>diff -u -r source-orig/libsmb/clientgen.c source-fixed/libsmb/clientgen.c
>--- source-orig/libsmb/clientgen.c	2008-05-15 09:28:37.000000000 -0700
>+++ source-fixed/libsmb/clientgen.c	2008-05-15 09:53:45.000000000 -0700
>@@ -44,8 +44,7 @@
> }
> 
> /****************************************************************************
>- Read an smb from a fd ignoring all keepalive packets. Note that the buffer 
>- *MUST* be of size BUFFER_SIZE+SAFETY_MARGIN.
>+ Read an smb from a fd ignoring all keepalive packets.
>  The timeout is in milliseconds
> 
>  This is exactly the same as receive_smb except that it never returns
>@@ -54,12 +53,12 @@
>  should never go into a blocking read.
> ****************************************************************************/
> 
>-static BOOL client_receive_smb(int fd,char *buffer, unsigned int timeout)
>+static BOOL client_receive_smb(int fd,char *buffer, size_t bufsize, unsigned int timeout)
> {
> 	BOOL ret;
> 
> 	for(;;) {
>-		ret = receive_smb_raw(fd, buffer, timeout);
>+		ret = receive_smb_raw(fd, buffer, bufsize, timeout);
> 
> 		if (!ret) {
> 			DEBUG(10,("client_receive_smb failed\n"));
>@@ -88,7 +87,7 @@
> 		return False; 
> 
>  again:
>-	ret = client_receive_smb(cli->fd,cli->inbuf,cli->timeout);
>+	ret = client_receive_smb(cli->fd,cli->inbuf, cli->bufsize, cli->timeout);
> 	
> 	if (ret) {
> 		/* it might be an oplock break request */
>diff -u -r source-orig/smbd/process.c source-fixed/smbd/process.c
>--- source-orig/smbd/process.c	2008-05-15 09:28:36.000000000 -0700
>+++ source-fixed/smbd/process.c	2008-05-15 09:53:45.000000000 -0700
>@@ -521,7 +521,8 @@
> 		goto again;
> 	}
> 
>-	return receive_smb(smbd_server_fd(), buffer, 0);
>+	return receive_smb(smbd_server_fd(), buffer,
>+			BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE, 0);
> }
> 
> /*
>diff -u -r source-orig/utils/smbfilter.c source-fixed/utils/smbfilter.c
>--- source-orig/utils/smbfilter.c	2008-05-15 09:28:36.000000000 -0700
>+++ source-fixed/utils/smbfilter.c	2008-05-15 09:53:45.000000000 -0700
>@@ -140,7 +140,7 @@
> 		if (num <= 0) continue;
> 		
> 		if (c != -1 && FD_ISSET(c, &fds)) {
>-			if (!receive_smb(c, packet, 0)) {
>+			if (!receive_smb(c, packet, BUFFER_SIZE, 0)) {
> 				d_printf("client closed connection\n");
> 				exit(0);
> 			}
>@@ -151,7 +151,7 @@
> 			}			
> 		}
> 		if (s != -1 && FD_ISSET(s, &fds)) {
>-			if (!receive_smb(s, packet, 0)) {
>+			if (!receive_smb(s, packet, BUFFER_SIZE, 0)) {
> 				d_printf("server closed connection\n");
> 				exit(0);
> 			}

Actions: View | Diff

Attachments on bug 446724: 305534 | 305636