Annotation of /trunk/samba/patches/samba-3.0.24-heap_overflow.patch
Parent Directory | Revision Log
Revision 201 -
(hide annotations)
(download)
Sat May 19 16:54:40 2007 UTC (17 years, 4 months ago) by niro
File size: 8427 byte(s)
Sat May 19 16:54:40 2007 UTC (17 years, 4 months ago) by niro
File size: 8427 byte(s)
-added security fixes (CVE-2007-2446 && CVE-2007-2447)
1 | niro | 201 | Index: samba-3.0.24/source/include/smb_macros.h |
2 | =================================================================== | ||
3 | --- samba-3.0.24.orig/source/include/smb_macros.h 2007-05-10 09:47:34.000000000 -0500 | ||
4 | +++ samba-3.0.24/source/include/smb_macros.h 2007-05-10 09:48:03.000000000 -0500 | ||
5 | @@ -310,7 +310,6 @@ | ||
6 | #if defined(PARANOID_MALLOC_CHECKER) | ||
7 | |||
8 | #define PRS_ALLOC_MEM(ps, type, count) (type *)prs_alloc_mem_((ps),sizeof(type),(count)) | ||
9 | -#define PRS_ALLOC_MEM_VOID(ps, size) prs_alloc_mem_((ps),(size),1) | ||
10 | |||
11 | /* Get medieval on our ass about malloc.... */ | ||
12 | |||
13 | @@ -354,7 +353,6 @@ | ||
14 | #define __location__ __FILE__ ":" __LINESTR__ | ||
15 | |||
16 | #define PRS_ALLOC_MEM(ps, type, count) (type *)prs_alloc_mem((ps),sizeof(type),(count)) | ||
17 | -#define PRS_ALLOC_MEM_VOID(ps, size) prs_alloc_mem((ps),(size),1) | ||
18 | |||
19 | /* Regular malloc code. */ | ||
20 | |||
21 | Index: samba-3.0.24/source/rpc_parse/parse_dfs.c | ||
22 | =================================================================== | ||
23 | --- samba-3.0.24.orig/source/rpc_parse/parse_dfs.c 2007-05-10 09:47:28.000000000 -0500 | ||
24 | +++ samba-3.0.24/source/rpc_parse/parse_dfs.c 2007-05-10 09:48:03.000000000 -0500 | ||
25 | @@ -325,7 +325,9 @@ | ||
26 | return False; | ||
27 | |||
28 | if (UNMARSHALLING(ps)) { | ||
29 | - v->stores = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->stores)*v->num_stores); | ||
30 | + v->stores = PRS_ALLOC_MEM(ps,NETDFS_DFS_STORAGEINFO,v->num_stores); | ||
31 | + if (!v->stores) | ||
32 | + return False; | ||
33 | } | ||
34 | for (i_stores_1=0; i_stores_1<v->num_stores;i_stores_1++) { | ||
35 | if (!netdfs_io_dfs_StorageInfo_p("stores", &v->stores[i_stores_1], ps, depth)) | ||
36 | @@ -447,7 +449,9 @@ | ||
37 | return False; | ||
38 | |||
39 | if (UNMARSHALLING(ps)) { | ||
40 | - v->stores = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->stores)*v->num_stores); | ||
41 | + v->stores = PRS_ALLOC_MEM(ps,NETDFS_DFS_STORAGEINFO,v->num_stores); | ||
42 | + if (!v->stores) | ||
43 | + return False; | ||
44 | } | ||
45 | for (i_stores_1=0; i_stores_1<v->num_stores;i_stores_1++) { | ||
46 | if (!netdfs_io_dfs_StorageInfo_p("stores", &v->stores[i_stores_1], ps, depth)) | ||
47 | @@ -920,7 +924,9 @@ | ||
48 | return False; | ||
49 | |||
50 | if (UNMARSHALLING(ps)) { | ||
51 | - v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count); | ||
52 | + v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO1,v->count); | ||
53 | + if (!v->s) | ||
54 | + return False; | ||
55 | } | ||
56 | for (i_s_1=0; i_s_1<v->count;i_s_1++) { | ||
57 | if (!netdfs_io_dfs_Info1_p("s", &v->s[i_s_1], ps, depth)) | ||
58 | @@ -986,7 +992,9 @@ | ||
59 | return False; | ||
60 | |||
61 | if (UNMARSHALLING(ps)) { | ||
62 | - v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count); | ||
63 | + v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO2,v->count); | ||
64 | + if (!v->s) | ||
65 | + return False; | ||
66 | } | ||
67 | for (i_s_1=0; i_s_1<v->count;i_s_1++) { | ||
68 | if (!netdfs_io_dfs_Info2_p("s", &v->s[i_s_1], ps, depth)) | ||
69 | @@ -1052,7 +1060,9 @@ | ||
70 | return False; | ||
71 | |||
72 | if (UNMARSHALLING(ps)) { | ||
73 | - v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count); | ||
74 | + v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO3,v->count); | ||
75 | + if (!v->s) | ||
76 | + return False; | ||
77 | } | ||
78 | for (i_s_1=0; i_s_1<v->count;i_s_1++) { | ||
79 | if (!netdfs_io_dfs_Info3_p("s", &v->s[i_s_1], ps, depth)) | ||
80 | @@ -1118,7 +1128,9 @@ | ||
81 | return False; | ||
82 | |||
83 | if (UNMARSHALLING(ps)) { | ||
84 | - v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count); | ||
85 | + v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO4,v->count); | ||
86 | + if (!v->s) | ||
87 | + return False; | ||
88 | } | ||
89 | for (i_s_1=0; i_s_1<v->count;i_s_1++) { | ||
90 | if (!netdfs_io_dfs_Info4_p("s", &v->s[i_s_1], ps, depth)) | ||
91 | @@ -1184,7 +1196,9 @@ | ||
92 | return False; | ||
93 | |||
94 | if (UNMARSHALLING(ps)) { | ||
95 | - v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count); | ||
96 | + v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO200,v->count); | ||
97 | + if (!v->s) | ||
98 | + return False; | ||
99 | } | ||
100 | for (i_s_1=0; i_s_1<v->count;i_s_1++) { | ||
101 | if (!netdfs_io_dfs_Info200_p("s", &v->s[i_s_1], ps, depth)) | ||
102 | @@ -1250,7 +1264,9 @@ | ||
103 | return False; | ||
104 | |||
105 | if (UNMARSHALLING(ps)) { | ||
106 | - v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count); | ||
107 | + v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO300,v->count); | ||
108 | + if (!v->s) | ||
109 | + return False; | ||
110 | } | ||
111 | for (i_s_1=0; i_s_1<v->count;i_s_1++) { | ||
112 | if (!netdfs_io_dfs_Info300_p("s", &v->s[i_s_1], ps, depth)) | ||
113 | Index: samba-3.0.24/source/rpc_parse/parse_lsa.c | ||
114 | =================================================================== | ||
115 | --- samba-3.0.24.orig/source/rpc_parse/parse_lsa.c 2007-05-10 09:47:14.000000000 -0500 | ||
116 | +++ samba-3.0.24/source/rpc_parse/parse_lsa.c 2007-05-10 09:47:58.000000000 -0500 | ||
117 | @@ -1349,12 +1349,17 @@ | ||
118 | &trn->num_entries2)) | ||
119 | return False; | ||
120 | |||
121 | + if (trn->num_entries2 != trn->num_entries) { | ||
122 | + /* RPC fault */ | ||
123 | + return False; | ||
124 | + } | ||
125 | + | ||
126 | if (UNMARSHALLING(ps)) { | ||
127 | - if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries)) == NULL) { | ||
128 | + if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries2)) == NULL) { | ||
129 | return False; | ||
130 | } | ||
131 | |||
132 | - if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) { | ||
133 | + if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) { | ||
134 | return False; | ||
135 | } | ||
136 | } | ||
137 | @@ -1406,12 +1411,17 @@ | ||
138 | &trn->num_entries2)) | ||
139 | return False; | ||
140 | |||
141 | + if (trn->num_entries2 != trn->num_entries) { | ||
142 | + /* RPC fault */ | ||
143 | + return False; | ||
144 | + } | ||
145 | + | ||
146 | if (UNMARSHALLING(ps)) { | ||
147 | - if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME2, trn->num_entries)) == NULL) { | ||
148 | + if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME2, trn->num_entries2)) == NULL) { | ||
149 | return False; | ||
150 | } | ||
151 | |||
152 | - if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) { | ||
153 | + if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) { | ||
154 | return False; | ||
155 | } | ||
156 | } | ||
157 | @@ -2759,7 +2769,7 @@ | ||
158 | |||
159 | static BOOL lsa_io_privilege_set(const char *desc, PRIVILEGE_SET *out, prs_struct *ps, int depth) | ||
160 | { | ||
161 | - uint32 i; | ||
162 | + uint32 i, dummy; | ||
163 | |||
164 | prs_debug(ps, depth, desc, "lsa_io_privilege_set"); | ||
165 | depth++; | ||
166 | @@ -2767,7 +2777,7 @@ | ||
167 | if(!prs_align(ps)) | ||
168 | return False; | ||
169 | |||
170 | - if(!prs_uint32("count", ps, depth, &out->count)) | ||
171 | + if(!prs_uint32("count", ps, depth, &dummy)) | ||
172 | return False; | ||
173 | if(!prs_uint32("control", ps, depth, &out->control)) | ||
174 | return False; | ||
175 | Index: samba-3.0.24/source/rpc_parse/parse_prs.c | ||
176 | =================================================================== | ||
177 | --- samba-3.0.24.orig/source/rpc_parse/parse_prs.c 2007-05-10 09:47:19.000000000 -0500 | ||
178 | +++ samba-3.0.24/source/rpc_parse/parse_prs.c 2007-05-10 09:48:03.000000000 -0500 | ||
179 | @@ -156,7 +156,7 @@ | ||
180 | { | ||
181 | char *ret = NULL; | ||
182 | |||
183 | - if (size) { | ||
184 | + if (size && count) { | ||
185 | /* We can't call the type-safe version here. */ | ||
186 | ret = _talloc_zero_array(ps->mem_ctx, size, count, "parse_prs"); | ||
187 | } | ||
188 | @@ -642,7 +642,7 @@ | ||
189 | return True; | ||
190 | |||
191 | if (UNMARSHALLING(ps)) { | ||
192 | - if ( !(*data = PRS_ALLOC_MEM_VOID(ps, data_size)) ) | ||
193 | + if ( !(*data = (void *)PRS_ALLOC_MEM(ps, char, data_size)) ) | ||
194 | return False; | ||
195 | } | ||
196 | |||
197 | Index: samba-3.0.24/source/rpc_parse/parse_sec.c | ||
198 | =================================================================== | ||
199 | --- samba-3.0.24.orig/source/rpc_parse/parse_sec.c 2007-05-10 09:47:22.000000000 -0500 | ||
200 | +++ samba-3.0.24/source/rpc_parse/parse_sec.c 2007-05-10 09:48:01.000000000 -0500 | ||
201 | @@ -122,7 +122,7 @@ | ||
202 | for you as it reads them. | ||
203 | ********************************************************************/ | ||
204 | |||
205 | -BOOL sec_io_acl(const char *desc, SEC_ACL **ppsa, prs_struct *ps, int depth) | ||
206 | +static BOOL sec_io_acl(const char *desc, SEC_ACL **ppsa, prs_struct *ps, int depth) | ||
207 | { | ||
208 | unsigned int i; | ||
209 | uint32 old_offset; | ||
210 | @@ -165,13 +165,10 @@ | ||
211 | return False; | ||
212 | |||
213 | if (UNMARSHALLING(ps)) { | ||
214 | - /* | ||
215 | - * Even if the num_aces is zero, allocate memory as there's a difference | ||
216 | - * between a non-present DACL (allow all access) and a DACL with no ACE's | ||
217 | - * (allow no access). | ||
218 | - */ | ||
219 | - if((psa->ace = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces+1)) == NULL) | ||
220 | - return False; | ||
221 | + if (psa->num_aces) { | ||
222 | + if((psa->ace = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces)) == NULL) | ||
223 | + return False; | ||
224 | + } | ||
225 | } | ||
226 | |||
227 | for (i = 0; i < psa->num_aces; i++) { | ||
228 | Index: samba-3.0.24/source/rpc_parse/parse_spoolss.c | ||
229 | =================================================================== | ||
230 | --- samba-3.0.24.orig/source/rpc_parse/parse_spoolss.c 2007-05-10 09:47:16.000000000 -0500 | ||
231 | +++ samba-3.0.24/source/rpc_parse/parse_spoolss.c 2007-05-10 09:48:00.000000000 -0500 | ||
232 | @@ -227,8 +227,13 @@ | ||
233 | if(!prs_uint32("count2", ps, depth, &type->count2)) | ||
234 | return False; | ||
235 | |||
236 | - if (type->count2 != type->count) | ||
237 | + if (type->count2 != type->count) { | ||
238 | DEBUG(4,("What a mess, count was %x now is %x !\n", type->count, type->count2)); | ||
239 | + return False; | ||
240 | + } | ||
241 | + if (type->count2 > MAX_NOTIFY_TYPE_FOR_NOW) { | ||
242 | + return False; | ||
243 | + } | ||
244 | |||
245 | /* parse the option type data */ | ||
246 | for(i=0;i<type->count2;i++) | ||
247 |