1 |
dev-zero 08/05/29 06:37:20 |
2 |
|
3 |
Added: 3.0.28a-CVE-2008-1105.patch |
4 |
Log: |
5 |
Revision bump for security bug #222299 |
6 |
(Portage version: 2.1.5_rc7, RepoMan options: --force) |
7 |
|
8 |
Revision Changes Path |
9 |
1.1 net-fs/samba/files/3.0.28a-CVE-2008-1105.patch |
10 |
|
11 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-fs/samba/files/3.0.28a-CVE-2008-1105.patch?rev=1.1&view=markup |
12 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-fs/samba/files/3.0.28a-CVE-2008-1105.patch?rev=1.1&content-type=text/plain |
13 |
|
14 |
Index: 3.0.28a-CVE-2008-1105.patch |
15 |
=================================================================== |
16 |
diff --git a/source/client/client.c b/source/client/client.c |
17 |
index 3f96f63..e87623a 100644 |
18 |
--- a/source/client/client.c |
19 |
+++ b/source/client/client.c |
20 |
@@ -3626,7 +3626,7 @@ static void readline_callback(void) |
21 |
session keepalives and then drop them here. |
22 |
*/ |
23 |
if (FD_ISSET(cli->fd,&fds)) { |
24 |
- if (!receive_smb(cli->fd,cli->inbuf,0)) { |
25 |
+ if (!receive_smb(cli->fd,cli->inbuf,cli->bufsize,0)) { |
26 |
DEBUG(0, ("Read from server failed, maybe it closed the " |
27 |
"connection\n")); |
28 |
return; |
29 |
diff --git a/source/client/smbctool.c b/source/client/smbctool.c |
30 |
index 2063418..a18505b 100644 |
31 |
--- a/source/client/smbctool.c |
32 |
+++ b/source/client/smbctool.c |
33 |
@@ -3304,7 +3304,7 @@ static void readline_callback(void) |
34 |
session keepalives and then drop them here. |
35 |
*/ |
36 |
if (FD_ISSET(cli->fd,&fds)) { |
37 |
- receive_smb(cli->fd,cli->inbuf,0); |
38 |
+ receive_smb(cli->fd,cli->inbuf,cli->bufsize,0); |
39 |
goto again; |
40 |
} |
41 |
|
42 |
diff --git a/source/lib/util_sock.c b/source/lib/util_sock.c |
43 |
index 94c5e82..4715ca7 100644 |
44 |
--- a/source/lib/util_sock.c |
45 |
+++ b/source/lib/util_sock.c |
46 |
@@ -654,14 +654,13 @@ ssize_t read_smb_length(int fd, char *inbuf, unsigned int timeout) |
47 |
} |
48 |
|
49 |
/**************************************************************************** |
50 |
- Read an smb from a fd. Note that the buffer *MUST* be of size |
51 |
- BUFFER_SIZE+SAFETY_MARGIN. |
52 |
+ Read an smb from a fd. |
53 |
The timeout is in milliseconds. |
54 |
This function will return on receipt of a session keepalive packet. |
55 |
Doesn't check the MAC on signed packets. |
56 |
****************************************************************************/ |
57 |
|
58 |
-BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout) |
59 |
+BOOL receive_smb_raw(int fd, char *buffer, size_t buflen, unsigned int timeout) |
60 |
{ |
61 |
ssize_t len,ret; |
62 |
|
63 |
@@ -682,25 +681,18 @@ BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout) |
64 |
return False; |
65 |
} |
66 |
|
67 |
- /* |
68 |
- * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes |
69 |
- * of header. Don't print the error if this fits.... JRA. |
70 |
- */ |
71 |
- |
72 |
- if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) { |
73 |
+ if (len > buflen) { |
74 |
DEBUG(0,("Invalid packet length! (%lu bytes).\n",(unsigned long)len)); |
75 |
- if (len > BUFFER_SIZE + (SAFETY_MARGIN/2)) { |
76 |
|
77 |
- /* |
78 |
- * Correct fix. smb_read_error may have already been |
79 |
- * set. Only set it here if not already set. Global |
80 |
- * variables still suck :-). JRA. |
81 |
- */ |
82 |
+ /* |
83 |
+ * smb_read_error may have already been |
84 |
+ * set. Only set it here if not already set. Global |
85 |
+ * variables still suck :-). JRA. |
86 |
+ */ |
87 |
|
88 |
- if (smb_read_error == 0) |
89 |
- smb_read_error = READ_ERROR; |
90 |
- return False; |
91 |
- } |
92 |
+ if (smb_read_error == 0) |
93 |
+ smb_read_error = READ_ERROR; |
94 |
+ return False; |
95 |
} |
96 |
|
97 |
if(len > 0) { |
98 |
@@ -730,9 +722,9 @@ BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout) |
99 |
Checks the MAC on signed packets. |
100 |
****************************************************************************/ |
101 |
|
102 |
-BOOL receive_smb(int fd, char *buffer, unsigned int timeout) |
103 |
+BOOL receive_smb(int fd, char *buffer, size_t buflen, unsigned int timeout) |
104 |
{ |
105 |
- if (!receive_smb_raw(fd, buffer, timeout)) { |
106 |
+ if (!receive_smb_raw(fd, buffer, buflen, timeout)) { |
107 |
return False; |
108 |
} |
109 |
|
110 |
diff --git a/source/libsmb/clientgen.c b/source/libsmb/clientgen.c |
111 |
index c6cef08..7d7ab9e 100644 |
112 |
--- a/source/libsmb/clientgen.c |
113 |
+++ b/source/libsmb/clientgen.c |
114 |
@@ -44,8 +44,7 @@ int cli_set_port(struct cli_state *cli, int port) |
115 |
} |
116 |
|
117 |
/**************************************************************************** |
118 |
- Read an smb from a fd ignoring all keepalive packets. Note that the buffer |
119 |
- *MUST* be of size BUFFER_SIZE+SAFETY_MARGIN. |
120 |
+ Read an smb from a fd ignoring all keepalive packets. |
121 |
The timeout is in milliseconds |
122 |
|
123 |
This is exactly the same as receive_smb except that it never returns |
124 |
@@ -54,12 +53,12 @@ int cli_set_port(struct cli_state *cli, int port) |
125 |
should never go into a blocking read. |
126 |
****************************************************************************/ |
127 |
|
128 |
-static BOOL client_receive_smb(int fd,char *buffer, unsigned int timeout) |
129 |
+static BOOL client_receive_smb(int fd,char *buffer, size_t bufsize, unsigned int timeout) |
130 |
{ |
131 |
BOOL ret; |
132 |
|
133 |
for(;;) { |
134 |
- ret = receive_smb_raw(fd, buffer, timeout); |
135 |
+ ret = receive_smb_raw(fd, buffer, bufsize, timeout); |
136 |
|
137 |
if (!ret) { |
138 |
DEBUG(10,("client_receive_smb failed\n")); |
139 |
@@ -88,7 +87,7 @@ BOOL cli_receive_smb(struct cli_state *cli) |
140 |
return False; |
141 |
|
142 |
again: |
143 |
- ret = client_receive_smb(cli->fd,cli->inbuf,cli->timeout); |
144 |
+ ret = client_receive_smb(cli->fd,cli->inbuf, cli->bufsize, cli->timeout); |
145 |
|
146 |
if (ret) { |
147 |
/* it might be an oplock break request */ |
148 |
diff --git a/source/smbd/process.c b/source/smbd/process.c |
149 |
index 8dec719..3d31c29 100644 |
150 |
--- a/source/smbd/process.c |
151 |
+++ b/source/smbd/process.c |
152 |
@@ -521,7 +521,8 @@ static BOOL receive_message_or_smb(char *buffer, int buffer_len, int timeout) |
153 |
goto again; |
154 |
} |
155 |
|
156 |
- return receive_smb(smbd_server_fd(), buffer, 0); |
157 |
+ return receive_smb(smbd_server_fd(), buffer, |
158 |
+ BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE, 0); |
159 |
} |
160 |
|
161 |
/* |
162 |
diff --git a/source/utils/smbfilter.c b/source/utils/smbfilter.c |
163 |
index 97d2223..2152e53 100644 |
164 |
--- a/source/utils/smbfilter.c |
165 |
+++ b/source/utils/smbfilter.c |
166 |
@@ -140,7 +140,7 @@ static void filter_child(int c, struct in_addr dest_ip) |
167 |
if (num <= 0) continue; |
168 |
|
169 |
if (c != -1 && FD_ISSET(c, &fds)) { |
170 |
- if (!receive_smb(c, packet, 0)) { |
171 |
+ if (!receive_smb(c, packet, BUFFER_SIZE, 0)) { |
172 |
d_printf("client closed connection\n"); |
173 |
exit(0); |
174 |
} |
175 |
@@ -151,7 +151,7 @@ static void filter_child(int c, struct in_addr dest_ip) |
176 |
} |
177 |
} |
178 |
if (s != -1 && FD_ISSET(s, &fds)) { |
179 |
- if (!receive_smb(s, packet, 0)) { |
180 |
+ if (!receive_smb(s, packet, BUFFER_SIZE, 0)) { |
181 |
d_printf("server closed connection\n"); |
182 |
exit(0); |
183 |
} |
184 |
|
185 |
|
186 |
|
187 |
-- |
188 |
gentoo-commits@l.g.o mailing list |