Inicio Explorar Axuda
Iniciar sesión
RISCI_ATOM
/
libreCMC-next
Fork de libreCMC/libreCMC
1
0
Fork 0
Ficheiros
Árbore: aaeecaa038
Ramas Etiquetas
libreCMC-next
/
package
/
network
/
services
/
samba36
/
patches
/
031-CVE-2017-12163-v3.6.patch

031-CVE-2017-12163-v3.6.patch 4.2 KB
Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136 
  1. From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
    2. 

  2. Date: Wed, 20 Sep 2017 20:02:03 +0200
    3. 

  3. Subject: CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from
    4. 

  4.  writing server memory to file.
    5. 

  5. 

  6. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020
    7. 

  7. 

  8. Author: Jeremy Allison <jra@samba.org>
    9. 

  9. Signed-off-by: Jeremy Allison <jra@samba.org>
    10. 

  10. Signed-off-by: Stefan Metzmacher <metze@samba.org>
    11. 

  11. ---
    12. 

  12.  source3/smbd/reply.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
    13. 

  13.  1 file changed, 50 insertions(+)
    14. 

  14. 

  15. --- a/source3/smbd/reply.c
    16. 

  16. +++ b/source3/smbd/reply.c
    17. 

  17. @@ -3979,6 +3979,9 @@ void reply_writebraw(struct smb_request
    18. 

  18.  	}
    19. 

  19.  
    20. 

  20.  	/* Ensure we don't write bytes past the end of this packet. */
    21. 

  21. +	/*
    22. 

  22. +	 * This already protects us against CVE-2017-12163.
    23. 

  23. +	 */
    24. 

  24.  	if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {
    25. 

  25.  		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
    26. 

  26.  		error_to_writebrawerr(req);
    27. 

  27. @@ -4080,6 +4083,11 @@ void reply_writebraw(struct smb_request
    28. 

  28.  			exit_server_cleanly("secondary writebraw failed");
    29. 

  29.  		}
    30. 

  30.  
    31. 

  31. +		/*
    32. 

  32. +		 * We are not vulnerable to CVE-2017-12163
    33. 

  33. +		 * here as we are guarenteed to have numtowrite
    34. 

  34. +		 * bytes available - we just read from the client.
    35. 

  35. +		 */
    36. 

  36.  		nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);
    37. 

  37.  		if (nwritten == -1) {
    38. 

  38.  			TALLOC_FREE(buf);
    39. 

  39. @@ -4161,6 +4169,7 @@ void reply_writeunlock(struct smb_reques
    40. 

  40.  	connection_struct *conn = req->conn;
    41. 

  41.  	ssize_t nwritten = -1;
    42. 

  42.  	size_t numtowrite;
    43. 

  43. +	size_t remaining;
    44. 

  44.  	SMB_OFF_T startpos;
    45. 

  45.  	const char *data;
    46. 

  46.  	NTSTATUS status = NT_STATUS_OK;
    47. 

  47. @@ -4193,6 +4202,17 @@ void reply_writeunlock(struct smb_reques
    48. 

  48.  	startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
    49. 

  49.  	data = (const char *)req->buf + 3;
    50. 

  50.  
    51. 

  51. +	/*
    52. 

  52. +	 * Ensure client isn't asking us to write more than
    53. 

  53. +	 * they sent. CVE-2017-12163.
    54. 

  54. +	 */
    55. 

  55. +	remaining = smbreq_bufrem(req, data);
    56. 

  56. +	if (numtowrite > remaining) {
    57. 

  57. +		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
    58. 

  58. +		END_PROFILE(SMBwriteunlock);
    59. 

  59. +		return;
    60. 

  60. +	}
    61. 

  61. +
    62. 

  62.  	if (!fsp->print_file && numtowrite > 0) {
    63. 

  63.  		init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
    64. 

  64.  		    (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
    65. 

  65. @@ -4274,6 +4294,7 @@ void reply_write(struct smb_request *req
    66. 

  66.  {
    67. 

  67.  	connection_struct *conn = req->conn;
    68. 

  68.  	size_t numtowrite;
    69. 

  69. +	size_t remaining;
    70. 

  70.  	ssize_t nwritten = -1;
    71. 

  71.  	SMB_OFF_T startpos;
    72. 

  72.  	const char *data;
    73. 

  73. @@ -4314,6 +4335,17 @@ void reply_write(struct smb_request *req
    74. 

  74.  	startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
    75. 

  75.  	data = (const char *)req->buf + 3;
    76. 

  76.  
    77. 

  77. +	/*
    78. 

  78. +	 * Ensure client isn't asking us to write more than
    79. 

  79. +	 * they sent. CVE-2017-12163.
    80. 

  80. +	 */
    81. 

  81. +	remaining = smbreq_bufrem(req, data);
    82. 

  82. +	if (numtowrite > remaining) {
    83. 

  83. +		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
    84. 

  84. +		END_PROFILE(SMBwrite);
    85. 

  85. +		return;
    86. 

  86. +	}
    87. 

  87. +
    88. 

  88.  	if (!fsp->print_file) {
    89. 

  89.  		init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
    90. 

  90.  			(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
    91. 

  91. @@ -4525,6 +4557,9 @@ void reply_write_and_X(struct smb_reques
    92. 

  92.  			return;
    93. 

  93.  		}
    94. 

  94.  	} else {
    95. 

  95. +		/*
    96. 

  96. +		 * This already protects us against CVE-2017-12163.
    97. 

  97. +		 */
    98. 

  98.  		if (smb_doff > smblen || smb_doff + numtowrite < numtowrite ||
    99. 

  99.  				smb_doff + numtowrite > smblen) {
    100. 

  100.  			reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
    101. 

  101. @@ -4894,6 +4929,7 @@ void reply_writeclose(struct smb_request
    102. 

  102.  {
    103. 

  103.  	connection_struct *conn = req->conn;
    104. 

  104.  	size_t numtowrite;
    105. 

  105. +	size_t remaining;
    106. 

  106.  	ssize_t nwritten = -1;
    107. 

  107.  	NTSTATUS close_status = NT_STATUS_OK;
    108. 

  108.  	SMB_OFF_T startpos;
    109. 

  109. @@ -4927,6 +4963,17 @@ void reply_writeclose(struct smb_request
    110. 

  110.  	mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
    111. 

  111.  	data = (const char *)req->buf + 1;
    112. 

  112.  
    113. 

  113. +	/*
    114. 

  114. +	 * Ensure client isn't asking us to write more than
    115. 

  115. +	 * they sent. CVE-2017-12163.
    116. 

  116. +	 */
    117. 

  117. +	remaining = smbreq_bufrem(req, data);
    118. 

  118. +	if (numtowrite > remaining) {
    119. 

  119. +		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
    120. 

  120. +		END_PROFILE(SMBwriteclose);
    121. 

  121. +		return;
    122. 

  122. +	}
    123. 

  123. +
    124. 

  124.  	if (!fsp->print_file) {
    125. 

  125.  		init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
    126. 

  126.  		    (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
    127. 

  127. @@ -5497,6 +5544,9 @@ void reply_printwrite(struct smb_request
    128. 

  128.  
    129. 

  129.  	numtowrite = SVAL(req->buf, 1);
    130. 

  130.  
    131. 

  131. +	/*
    132. 

  132. +	 * This already protects us against CVE-2017-12163.
    133. 

  133. +	 */
    134. 

  134.  	if (req->buflen < numtowrite + 3) {
    135. 

  135.  		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
    136. 

  136.  		END_PROFILE(SMBsplwr);
    137.