[BACK]Return to patch-ee CVS log [TXT][DIR] Up to [cvs.NetBSD.org] / pkgsrc / net / samba30 / patches

File: [cvs.NetBSD.org] / pkgsrc / net / samba30 / patches / Attic / patch-ee (download)

Revision 1.3, Mon Nov 19 02:59:06 2012 UTC (10 years, 2 months ago) by joerg
Branch: MAIN
CVS Tags: pkgsrc-2012Q4-base, pkgsrc-2012Q4
Changes since 1.2: +2 -2 lines

Correctly return an error value when bailing out.

$NetBSD: patch-ee,v 1.3 2012/11/19 02:59:06 joerg Exp $

Patch to fix CVE-2010-2063 and CVE-2012-0870.

--- smbd/process.c.orig	2009-09-30 12:21:56.000000000 +0000
+++ smbd/process.c
@@ -1159,8 +1159,9 @@ int chain_reply(char *inbuf,char *outbuf
 {
 	static char *orig_inbuf;
 	static char *orig_outbuf;
+	static int orig_size;
 	int smb_com1, smb_com2 = CVAL(inbuf,smb_vwv0);
-	unsigned smb_off2 = SVAL(inbuf,smb_vwv1);
+	static unsigned smb_off2;
 	char *inbuf2, *outbuf2;
 	int outsize2;
 	int new_size;
@@ -1178,6 +1179,21 @@ int chain_reply(char *inbuf,char *outbuf
 		/* this is the first part of the chain */
 		orig_inbuf = inbuf;
 		orig_outbuf = outbuf;
+		orig_size = size;
+		smb_off2 = 0;
+	}
+
+	if (SVAL(inbuf,smb_vwv1) <= smb_off2) {
+		DEBUG(1, ("AndX offset not increasing\n"));
+		SCVAL(outbuf, smb_vwv0, 0xFF);
+		return -1;
+	}
+	smb_off2 = SVAL(inbuf, smb_vwv1);
+
+	/* Validate smb_off2 */
+	if ((smb_off2 < smb_wct - 4) || orig_size < (smb_off2 + 4 - smb_wct)) {
+		exit_server_cleanly("Bad chained packet");
+		return -1;
 	}
 
 	/*
@@ -1192,6 +1208,11 @@ int chain_reply(char *inbuf,char *outbuf
 	SSVAL(outbuf,smb_vwv1,smb_offset(outbuf+outsize,outbuf));
 	SCVAL(outbuf,smb_vwv0,smb_com2);
 
+	if (outsize <= smb_wct) {
+		exit_server_cleanly("Bad chained packet");
+		return -1;
+	}
+
 	/* remember how much the caller added to the chain, only counting stuff
 		after the parameter words */
 	chain_size += outsize - smb_wct;