X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=src%2Fpatches%2Fsamba%2FCVE-2017-12163.patch;fp=src%2Fpatches%2Fsamba%2FCVE-2017-12163.patch;h=0000000000000000000000000000000000000000;hp=93fe2cec240395cc9818c0d595b25e319f6f8c34;hb=1dd31d858ecc4d37fa9c895b59e2b752cc124818;hpb=b3e5529459d4dec78aa07b08b4ccfacdc449c3f9 diff --git a/src/patches/samba/CVE-2017-12163.patch b/src/patches/samba/CVE-2017-12163.patch deleted file mode 100644 index 93fe2cec24..0000000000 --- a/src/patches/samba/CVE-2017-12163.patch +++ /dev/null @@ -1,141 +0,0 @@ -From 9f1a51917649795123bedbefdea678317d392b48 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Fri, 8 Sep 2017 10:13:14 -0700 -Subject: [PATCH] CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from - writing server memory to file. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020 - -Signed-off-by: Jeremy Allison -Signed-off-by: Stefan Metzmacher ---- - source3/smbd/reply.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 50 insertions(+) - -diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c -index 1583c2358bb..9625670d653 100644 ---- a/source3/smbd/reply.c -+++ b/source3/smbd/reply.c -@@ -3977,6 +3977,9 @@ void reply_writebraw(struct smb_request *req) - } - - /* Ensure we don't write bytes past the end of this packet. */ -+ /* -+ * This already protects us against CVE-2017-12163. -+ */ - if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) { - reply_nterror(req, NT_STATUS_INVALID_PARAMETER); - error_to_writebrawerr(req); -@@ -4078,6 +4081,11 @@ void reply_writebraw(struct smb_request *req) - exit_server_cleanly("secondary writebraw failed"); - } - -+ /* -+ * We are not vulnerable to CVE-2017-12163 -+ * here as we are guarenteed to have numtowrite -+ * bytes available - we just read from the client. -+ */ - nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite); - if (nwritten == -1) { - TALLOC_FREE(buf); -@@ -4159,6 +4167,7 @@ void reply_writeunlock(struct smb_request *req) - connection_struct *conn = req->conn; - ssize_t nwritten = -1; - size_t numtowrite; -+ size_t remaining; - SMB_OFF_T startpos; - const char *data; - NTSTATUS status = NT_STATUS_OK; -@@ -4191,6 +4200,17 @@ void reply_writeunlock(struct smb_request *req) - startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0); - data = (const char *)req->buf + 3; - -+ /* -+ * Ensure client isn't asking us to write more than -+ * they sent. CVE-2017-12163. -+ */ -+ remaining = smbreq_bufrem(req, data); -+ if (numtowrite > remaining) { -+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER); -+ END_PROFILE(SMBwriteunlock); -+ return; -+ } -+ - if (!fsp->print_file && numtowrite > 0) { - init_strict_lock_struct(fsp, (uint64_t)req->smbpid, - (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK, -@@ -4272,6 +4292,7 @@ void reply_write(struct smb_request *req) - { - connection_struct *conn = req->conn; - size_t numtowrite; -+ size_t remaining; - ssize_t nwritten = -1; - SMB_OFF_T startpos; - const char *data; -@@ -4312,6 +4333,17 @@ void reply_write(struct smb_request *req) - startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0); - data = (const char *)req->buf + 3; - -+ /* -+ * Ensure client isn't asking us to write more than -+ * they sent. CVE-2017-12163. -+ */ -+ remaining = smbreq_bufrem(req, data); -+ if (numtowrite > remaining) { -+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER); -+ END_PROFILE(SMBwrite); -+ return; -+ } -+ - if (!fsp->print_file) { - init_strict_lock_struct(fsp, (uint64_t)req->smbpid, - (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK, -@@ -4523,6 +4555,9 @@ void reply_write_and_X(struct smb_request *req) - return; - } - } else { -+ /* -+ * This already protects us against CVE-2017-12163. -+ */ - if (smb_doff > smblen || smb_doff + numtowrite < numtowrite || - smb_doff + numtowrite > smblen) { - reply_nterror(req, NT_STATUS_INVALID_PARAMETER); -@@ -4892,6 +4927,7 @@ void reply_writeclose(struct smb_request *req) - { - connection_struct *conn = req->conn; - size_t numtowrite; -+ size_t remaining; - ssize_t nwritten = -1; - NTSTATUS close_status = NT_STATUS_OK; - SMB_OFF_T startpos; -@@ -4925,6 +4961,17 @@ void reply_writeclose(struct smb_request *req) - mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4)); - data = (const char *)req->buf + 1; - -+ /* -+ * Ensure client isn't asking us to write more than -+ * they sent. CVE-2017-12163. -+ */ -+ remaining = smbreq_bufrem(req, data); -+ if (numtowrite > remaining) { -+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER); -+ END_PROFILE(SMBwriteclose); -+ return; -+ } -+ - if (!fsp->print_file) { - init_strict_lock_struct(fsp, (uint64_t)req->smbpid, - (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK, -@@ -5495,6 +5542,9 @@ void reply_printwrite(struct smb_request *req) - - numtowrite = SVAL(req->buf, 1); - -+ /* -+ * This already protects us against CVE-2017-12163. -+ */ - if (req->buflen < numtowrite + 3) { - reply_nterror(req, NT_STATUS_INVALID_PARAMETER); - END_PROFILE(SMBsplwr); --- -2.13.5 -