]> git.ipfire.org Git - ipfire-2.x.git/blobdiff - src/patches/samba/CVE-2017-12163.patch
projects / ipfire-2.x.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
samba: update to 4.13.0
[ipfire-2.x.git] / src / patches / samba / CVE-2017-12163.patch
diff --git a/src/patches/samba/CVE-2017-12163.patch b/src/patches/samba/CVE-2017-12163.patch
deleted file mode 100644 (file)
index 93fe2ce..0000000
--- a/src/patches/samba/CVE-2017-12163.patch
+++ /dev/null
@@ -1,141 +0,0 @@
-From 9f1a51917649795123bedbefdea678317d392b48 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Fri, 8 Sep 2017 10:13:14 -0700
-Subject: [PATCH] CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from
- writing server memory to file.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- source3/smbd/reply.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 50 insertions(+)
-
-diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
-index 1583c2358bb..9625670d653 100644
---- a/source3/smbd/reply.c
-+++ b/source3/smbd/reply.c
-@@ -3977,6 +3977,9 @@ void reply_writebraw(struct smb_request *req)
-       }
-       /* Ensure we don't write bytes past the end of this packet. */
-+      /*
-+       * This already protects us against CVE-2017-12163.
-+       */
-       if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {
-               reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
-               error_to_writebrawerr(req);
-@@ -4078,6 +4081,11 @@ void reply_writebraw(struct smb_request *req)
-                       exit_server_cleanly("secondary writebraw failed");
-               }
-+              /*
-+               * We are not vulnerable to CVE-2017-12163
-+               * here as we are guarenteed to have numtowrite
-+               * bytes available - we just read from the client.
-+               */
-               nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);
-               if (nwritten == -1) {
-                       TALLOC_FREE(buf);
-@@ -4159,6 +4167,7 @@ void reply_writeunlock(struct smb_request *req)
-       connection_struct *conn = req->conn;
-       ssize_t nwritten = -1;
-       size_t numtowrite;
-+      size_t remaining;
-       SMB_OFF_T startpos;
-       const char *data;
-       NTSTATUS status = NT_STATUS_OK;
-@@ -4191,6 +4200,17 @@ void reply_writeunlock(struct smb_request *req)
-       startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
-       data = (const char *)req->buf + 3;
-+      /*
-+       * Ensure client isn't asking us to write more than
-+       * they sent. CVE-2017-12163.
-+       */
-+      remaining = smbreq_bufrem(req, data);
-+      if (numtowrite > remaining) {
-+              reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
-+              END_PROFILE(SMBwriteunlock);
-+              return;
-+      }
-+
-       if (!fsp->print_file && numtowrite > 0) {
-               init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
-                   (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
-@@ -4272,6 +4292,7 @@ void reply_write(struct smb_request *req)
- {
-       connection_struct *conn = req->conn;
-       size_t numtowrite;
-+      size_t remaining;
-       ssize_t nwritten = -1;
-       SMB_OFF_T startpos;
-       const char *data;
-@@ -4312,6 +4333,17 @@ void reply_write(struct smb_request *req)
-       startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
-       data = (const char *)req->buf + 3;
-+      /*
-+       * Ensure client isn't asking us to write more than
-+       * they sent. CVE-2017-12163.
-+       */
-+      remaining = smbreq_bufrem(req, data);
-+      if (numtowrite > remaining) {
-+              reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
-+              END_PROFILE(SMBwrite);
-+              return;
-+      }
-+
-       if (!fsp->print_file) {
-               init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
-                       (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
-@@ -4523,6 +4555,9 @@ void reply_write_and_X(struct smb_request *req)
-                       return;
-               }
-       } else {
-+              /*
-+               * This already protects us against CVE-2017-12163.
-+               */
-               if (smb_doff > smblen || smb_doff + numtowrite < numtowrite ||
-                               smb_doff + numtowrite > smblen) {
-                       reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
-@@ -4892,6 +4927,7 @@ void reply_writeclose(struct smb_request *req)
- {
-       connection_struct *conn = req->conn;
-       size_t numtowrite;
-+      size_t remaining;
-       ssize_t nwritten = -1;
-       NTSTATUS close_status = NT_STATUS_OK;
-       SMB_OFF_T startpos;
-@@ -4925,6 +4961,17 @@ void reply_writeclose(struct smb_request *req)
-       mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
-       data = (const char *)req->buf + 1;
-+      /*
-+       * Ensure client isn't asking us to write more than
-+       * they sent. CVE-2017-12163.
-+       */
-+      remaining = smbreq_bufrem(req, data);
-+      if (numtowrite > remaining) {
-+              reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
-+              END_PROFILE(SMBwriteclose);
-+              return;
-+      }
-+
-       if (!fsp->print_file) {
-               init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
-                   (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
-@@ -5495,6 +5542,9 @@ void reply_printwrite(struct smb_request *req)
-       numtowrite = SVAL(req->buf, 1);
-+      /*
-+       * This already protects us against CVE-2017-12163.
-+       */
-       if (req->buflen < numtowrite + 3) {
-               reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
-               END_PROFILE(SMBsplwr);
--- 
-2.13.5
-
IPFire 2.x development tree