| 1 |
dev-zero 08/05/29 06:37:20 |
| 2 |
|
| 3 |
Added: 3.0.28a-CVE-2008-1105.patch |
| 4 |
Log: |
| 5 |
Revision bump for security bug #222299 |
| 6 |
(Portage version: 2.1.5_rc7, RepoMan options: --force) |
| 7 |
|
| 8 |
Revision Changes Path |
| 9 |
1.1 net-fs/samba/files/3.0.28a-CVE-2008-1105.patch |
| 10 |
|
| 11 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-fs/samba/files/3.0.28a-CVE-2008-1105.patch?rev=1.1&view=markup |
| 12 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-fs/samba/files/3.0.28a-CVE-2008-1105.patch?rev=1.1&content-type=text/plain |
| 13 |
|
| 14 |
Index: 3.0.28a-CVE-2008-1105.patch |
| 15 |
=================================================================== |
| 16 |
diff --git a/source/client/client.c b/source/client/client.c |
| 17 |
index 3f96f63..e87623a 100644 |
| 18 |
--- a/source/client/client.c |
| 19 |
+++ b/source/client/client.c |
| 20 |
@@ -3626,7 +3626,7 @@ static void readline_callback(void) |
| 21 |
session keepalives and then drop them here. |
| 22 |
*/ |
| 23 |
if (FD_ISSET(cli->fd,&fds)) { |
| 24 |
- if (!receive_smb(cli->fd,cli->inbuf,0)) { |
| 25 |
+ if (!receive_smb(cli->fd,cli->inbuf,cli->bufsize,0)) { |
| 26 |
DEBUG(0, ("Read from server failed, maybe it closed the " |
| 27 |
"connection\n")); |
| 28 |
return; |
| 29 |
diff --git a/source/client/smbctool.c b/source/client/smbctool.c |
| 30 |
index 2063418..a18505b 100644 |
| 31 |
--- a/source/client/smbctool.c |
| 32 |
+++ b/source/client/smbctool.c |
| 33 |
@@ -3304,7 +3304,7 @@ static void readline_callback(void) |
| 34 |
session keepalives and then drop them here. |
| 35 |
*/ |
| 36 |
if (FD_ISSET(cli->fd,&fds)) { |
| 37 |
- receive_smb(cli->fd,cli->inbuf,0); |
| 38 |
+ receive_smb(cli->fd,cli->inbuf,cli->bufsize,0); |
| 39 |
goto again; |
| 40 |
} |
| 41 |
|
| 42 |
diff --git a/source/lib/util_sock.c b/source/lib/util_sock.c |
| 43 |
index 94c5e82..4715ca7 100644 |
| 44 |
--- a/source/lib/util_sock.c |
| 45 |
+++ b/source/lib/util_sock.c |
| 46 |
@@ -654,14 +654,13 @@ ssize_t read_smb_length(int fd, char *inbuf, unsigned int timeout) |
| 47 |
} |
| 48 |
|
| 49 |
/**************************************************************************** |
| 50 |
- Read an smb from a fd. Note that the buffer *MUST* be of size |
| 51 |
- BUFFER_SIZE+SAFETY_MARGIN. |
| 52 |
+ Read an smb from a fd. |
| 53 |
The timeout is in milliseconds. |
| 54 |
This function will return on receipt of a session keepalive packet. |
| 55 |
Doesn't check the MAC on signed packets. |
| 56 |
****************************************************************************/ |
| 57 |
|
| 58 |
-BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout) |
| 59 |
+BOOL receive_smb_raw(int fd, char *buffer, size_t buflen, unsigned int timeout) |
| 60 |
{ |
| 61 |
ssize_t len,ret; |
| 62 |
|
| 63 |
@@ -682,25 +681,18 @@ BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout) |
| 64 |
return False; |
| 65 |
} |
| 66 |
|
| 67 |
- /* |
| 68 |
- * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes |
| 69 |
- * of header. Don't print the error if this fits.... JRA. |
| 70 |
- */ |
| 71 |
- |
| 72 |
- if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) { |
| 73 |
+ if (len > buflen) { |
| 74 |
DEBUG(0,("Invalid packet length! (%lu bytes).\n",(unsigned long)len)); |
| 75 |
- if (len > BUFFER_SIZE + (SAFETY_MARGIN/2)) { |
| 76 |
|
| 77 |
- /* |
| 78 |
- * Correct fix. smb_read_error may have already been |
| 79 |
- * set. Only set it here if not already set. Global |
| 80 |
- * variables still suck :-). JRA. |
| 81 |
- */ |
| 82 |
+ /* |
| 83 |
+ * smb_read_error may have already been |
| 84 |
+ * set. Only set it here if not already set. Global |
| 85 |
+ * variables still suck :-). JRA. |
| 86 |
+ */ |
| 87 |
|
| 88 |
- if (smb_read_error == 0) |
| 89 |
- smb_read_error = READ_ERROR; |
| 90 |
- return False; |
| 91 |
- } |
| 92 |
+ if (smb_read_error == 0) |
| 93 |
+ smb_read_error = READ_ERROR; |
| 94 |
+ return False; |
| 95 |
} |
| 96 |
|
| 97 |
if(len > 0) { |
| 98 |
@@ -730,9 +722,9 @@ BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout) |
| 99 |
Checks the MAC on signed packets. |
| 100 |
****************************************************************************/ |
| 101 |
|
| 102 |
-BOOL receive_smb(int fd, char *buffer, unsigned int timeout) |
| 103 |
+BOOL receive_smb(int fd, char *buffer, size_t buflen, unsigned int timeout) |
| 104 |
{ |
| 105 |
- if (!receive_smb_raw(fd, buffer, timeout)) { |
| 106 |
+ if (!receive_smb_raw(fd, buffer, buflen, timeout)) { |
| 107 |
return False; |
| 108 |
} |
| 109 |
|
| 110 |
diff --git a/source/libsmb/clientgen.c b/source/libsmb/clientgen.c |
| 111 |
index c6cef08..7d7ab9e 100644 |
| 112 |
--- a/source/libsmb/clientgen.c |
| 113 |
+++ b/source/libsmb/clientgen.c |
| 114 |
@@ -44,8 +44,7 @@ int cli_set_port(struct cli_state *cli, int port) |
| 115 |
} |
| 116 |
|
| 117 |
/**************************************************************************** |
| 118 |
- Read an smb from a fd ignoring all keepalive packets. Note that the buffer |
| 119 |
- *MUST* be of size BUFFER_SIZE+SAFETY_MARGIN. |
| 120 |
+ Read an smb from a fd ignoring all keepalive packets. |
| 121 |
The timeout is in milliseconds |
| 122 |
|
| 123 |
This is exactly the same as receive_smb except that it never returns |
| 124 |
@@ -54,12 +53,12 @@ int cli_set_port(struct cli_state *cli, int port) |
| 125 |
should never go into a blocking read. |
| 126 |
****************************************************************************/ |
| 127 |
|
| 128 |
-static BOOL client_receive_smb(int fd,char *buffer, unsigned int timeout) |
| 129 |
+static BOOL client_receive_smb(int fd,char *buffer, size_t bufsize, unsigned int timeout) |
| 130 |
{ |
| 131 |
BOOL ret; |
| 132 |
|
| 133 |
for(;;) { |
| 134 |
- ret = receive_smb_raw(fd, buffer, timeout); |
| 135 |
+ ret = receive_smb_raw(fd, buffer, bufsize, timeout); |
| 136 |
|
| 137 |
if (!ret) { |
| 138 |
DEBUG(10,("client_receive_smb failed\n")); |
| 139 |
@@ -88,7 +87,7 @@ BOOL cli_receive_smb(struct cli_state *cli) |
| 140 |
return False; |
| 141 |
|
| 142 |
again: |
| 143 |
- ret = client_receive_smb(cli->fd,cli->inbuf,cli->timeout); |
| 144 |
+ ret = client_receive_smb(cli->fd,cli->inbuf, cli->bufsize, cli->timeout); |
| 145 |
|
| 146 |
if (ret) { |
| 147 |
/* it might be an oplock break request */ |
| 148 |
diff --git a/source/smbd/process.c b/source/smbd/process.c |
| 149 |
index 8dec719..3d31c29 100644 |
| 150 |
--- a/source/smbd/process.c |
| 151 |
+++ b/source/smbd/process.c |
| 152 |
@@ -521,7 +521,8 @@ static BOOL receive_message_or_smb(char *buffer, int buffer_len, int timeout) |
| 153 |
goto again; |
| 154 |
} |
| 155 |
|
| 156 |
- return receive_smb(smbd_server_fd(), buffer, 0); |
| 157 |
+ return receive_smb(smbd_server_fd(), buffer, |
| 158 |
+ BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE, 0); |
| 159 |
} |
| 160 |
|
| 161 |
/* |
| 162 |
diff --git a/source/utils/smbfilter.c b/source/utils/smbfilter.c |
| 163 |
index 97d2223..2152e53 100644 |
| 164 |
--- a/source/utils/smbfilter.c |
| 165 |
+++ b/source/utils/smbfilter.c |
| 166 |
@@ -140,7 +140,7 @@ static void filter_child(int c, struct in_addr dest_ip) |
| 167 |
if (num <= 0) continue; |
| 168 |
|
| 169 |
if (c != -1 && FD_ISSET(c, &fds)) { |
| 170 |
- if (!receive_smb(c, packet, 0)) { |
| 171 |
+ if (!receive_smb(c, packet, BUFFER_SIZE, 0)) { |
| 172 |
d_printf("client closed connection\n"); |
| 173 |
exit(0); |
| 174 |
} |
| 175 |
@@ -151,7 +151,7 @@ static void filter_child(int c, struct in_addr dest_ip) |
| 176 |
} |
| 177 |
} |
| 178 |
if (s != -1 && FD_ISSET(s, &fds)) { |
| 179 |
- if (!receive_smb(s, packet, 0)) { |
| 180 |
+ if (!receive_smb(s, packet, BUFFER_SIZE, 0)) { |
| 181 |
d_printf("server closed connection\n"); |
| 182 |
exit(0); |
| 183 |
} |
| 184 |
|
| 185 |
|
| 186 |
|
| 187 |
-- |
| 188 |
gentoo-commits@l.g.o mailing list |
Archives