diff options
Diffstat (limited to 'patches/source/samba/samba-3.2.15-CVE-2010-3069.patch')
| -rw-r--r-- | patches/source/samba/samba-3.2.15-CVE-2010-3069.patch | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/patches/source/samba/samba-3.2.15-CVE-2010-3069.patch b/patches/source/samba/samba-3.2.15-CVE-2010-3069.patch new file mode 100644 index 00000000..9c66eeb6 --- /dev/null +++ b/patches/source/samba/samba-3.2.15-CVE-2010-3069.patch @@ -0,0 +1,78 @@ +--- ./source/lib/util_sid.c.orig 2009-09-30 07:24:50.000000000 -0500 ++++ ./source/lib/util_sid.c 2010-09-14 13:28:19.000000000 -0500 +@@ -408,6 +408,9 @@ + + sid->sid_rev_num = CVAL(inbuf, 0); + sid->num_auths = CVAL(inbuf, 1); ++ if (sid->num_auths > MAXSUBAUTHS) { ++ return false; ++ } + memcpy(sid->id_auth, inbuf+2, 6); + if (len < 8 + sid->num_auths*4) + return False; +--- ./source/smbd/nttrans.c.orig 2009-09-30 07:24:50.000000000 -0500 ++++ ./source/smbd/nttrans.c 2010-09-14 13:28:19.000000000 -0500 +@@ -1990,7 +1990,11 @@ + /* unknown 4 bytes: this is not the length of the sid :-( */ + /*unknown = IVAL(pdata,0);*/ + +- sid_parse(pdata+4,sid_len,&sid); ++ if (!sid_parse(pdata+4,sid_len,&sid)) { ++ reply_nterror(req, NT_STATUS_INVALID_PARAMETER); ++ return; ++ } ++ + DEBUGADD(10, ("for SID: %s\n", sid_string_dbg(&sid))); + + if (!sid_to_uid(&sid, &uid)) { +@@ -2245,7 +2249,10 @@ + break; + } + +- sid_parse(pdata+8,sid_len,&sid); ++ if (!sid_parse(pdata+8,sid_len,&sid)) { ++ reply_nterror(req, NT_STATUS_INVALID_PARAMETER); ++ return; ++ } + + if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) { + ZERO_STRUCT(qt); +@@ -2425,7 +2432,11 @@ + } + #endif /* LARGE_SMB_OFF_T */ + +- sid_parse(pdata+40,sid_len,&sid); ++ if (!sid_parse(pdata+40,sid_len,&sid)) { ++ reply_nterror(req, NT_STATUS_INVALID_PARAMETER); ++ return; ++ } ++ + DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid))); + + /* 44 unknown bytes left... */ +--- ./source/libsmb/cliquota.c.orig 2009-09-30 07:24:50.000000000 -0500 ++++ ./source/libsmb/cliquota.c 2010-09-14 13:29:53.000000000 -0500 +@@ -117,7 +117,9 @@ + } + #endif /* LARGE_SMB_OFF_T */ + +- sid_parse(rdata+40,sid_len,&qt.sid); ++ if (!sid_parse(rdata+40,sid_len,&qt.sid)) { ++ return false; ++ } + + qt.qtype = SMB_USER_QUOTA_TYPE; + +--- ./source/libads/ldap.c.orig 2009-09-30 07:24:50.000000000 -0500 ++++ ./source/libads/ldap.c 2010-09-14 13:28:19.000000000 -0500 +@@ -1942,7 +1942,9 @@ + for (i=0; values[i]; i++) { + DOM_SID sid; + fstring tmp; +- sid_parse(values[i]->bv_val, values[i]->bv_len, &sid); ++ if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) { ++ continue; ++ } + printf("%s: %s\n", field, sid_to_fstring(tmp, &sid)); + } + } |