/[smeserver]/rpms/samba/sme10/CVE-2017-14746.patch
ViewVC logotype

Annotation of /rpms/samba/sme10/CVE-2017-14746.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Tue May 8 16:37:53 2018 UTC (6 years, 5 months ago) by jpp
Branch: MAIN
CVS Tags: samba-4_6_2-12_el7_4, samba--, samba-4_6_2-12_3_el7_sme, samba-4_6_2-12_4_el7_sme, samba-4_6_2-12_2_el7_sme
upgrade to samba-4.6.2-12

1 jpp 1.1 From 5b2d738fb3e5d40590261702a8e7564a5b0e46d5 Mon Sep 17 00:00:00 2001
2     From: Jeremy Allison <jra@samba.org>
3     Date: Tue, 19 Sep 2017 16:11:33 -0700
4     Subject: [PATCH] s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746
5     MIME-Version: 1.0
6     Content-Type: text/plain; charset=UTF-8
7     Content-Transfer-Encoding: 8bit
8    
9     When setting up the chain, always use 'next->' variables
10     not the 'req->' one.
11    
12     Bug discovered by 连一汉 <lianyihan@360.cn>
13    
14     CVE-2017-14746
15    
16     BUG: https://bugzilla.samba.org/show_bug.cgi?id=13041
17    
18     Signed-off-by: Jeremy Allison <jra@samba.org>
19     ---
20     source3/smbd/process.c | 7 ++++---
21     source3/smbd/reply.c | 5 +++++
22     2 files changed, 9 insertions(+), 3 deletions(-)
23    
24     diff --git a/source3/smbd/process.c b/source3/smbd/process.c
25     index b65ae2c1b1c..9b2b0a669a2 100644
26     --- a/source3/smbd/process.c
27     +++ b/source3/smbd/process.c
28     @@ -1855,12 +1855,13 @@ void smb_request_done(struct smb_request *req)
29    
30     next->vuid = SVAL(req->outbuf, smb_uid);
31     next->tid = SVAL(req->outbuf, smb_tid);
32     - status = smb1srv_tcon_lookup(req->xconn, req->tid,
33     + status = smb1srv_tcon_lookup(req->xconn, next->tid,
34     now, &tcon);
35     +
36     if (NT_STATUS_IS_OK(status)) {
37     - req->conn = tcon->compat;
38     + next->conn = tcon->compat;
39     } else {
40     - req->conn = NULL;
41     + next->conn = NULL;
42     }
43     next->chain_fsp = req->chain_fsp;
44     next->inbuf = req->inbuf;
45     diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
46     index 7b07078249b..81acedf0413 100644
47     --- a/source3/smbd/reply.c
48     +++ b/source3/smbd/reply.c
49     @@ -923,6 +923,11 @@ void reply_tcon_and_X(struct smb_request *req)
50     }
51    
52     TALLOC_FREE(tcon);
53     + /*
54     + * This tree id is gone. Make sure we can't re-use it
55     + * by accident.
56     + */
57     + req->tid = 0;
58     }
59    
60     if ((passlen > MAX_PASS_LEN) || (passlen >= req->buflen)) {
61     --
62     2.14.2.920.gcf0c67979c-goog
63    

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed