[ipfire-2.x.git] / src / patches / samba / CVE-2017-12163.patch

From 9f1a51917649795123bedbefdea678317d392b48 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 8 Sep 2017 10:13:14 -0700
Subject: [PATCH] CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from
 writing server memory to file.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source3/smbd/reply.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 1583c2358bb..9625670d653 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -3977,6 +3977,9 @@ void reply_writebraw(struct smb_request *req)
 	}
 
 	/* Ensure we don't write bytes past the end of this packet. */
+	/*
+	 * This already protects us against CVE-2017-12163.
+	 */
 	if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {
 		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
 		error_to_writebrawerr(req);
@@ -4078,6 +4081,11 @@ void reply_writebraw(struct smb_request *req)
 			exit_server_cleanly("secondary writebraw failed");
 		}
 
+		/*
+		 * We are not vulnerable to CVE-2017-12163
+		 * here as we are guarenteed to have numtowrite
+		 * bytes available - we just read from the client.
+		 */
 		nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);
 		if (nwritten == -1) {
 			TALLOC_FREE(buf);
@@ -4159,6 +4167,7 @@ void reply_writeunlock(struct smb_request *req)
 	connection_struct *conn = req->conn;
 	ssize_t nwritten = -1;
 	size_t numtowrite;
+	size_t remaining;
 	SMB_OFF_T startpos;
 	const char *data;
 	NTSTATUS status = NT_STATUS_OK;
@@ -4191,6 +4200,17 @@ void reply_writeunlock(struct smb_request *req)
 	startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
 	data = (const char *)req->buf + 3;
 
+	/*
+	 * Ensure client isn't asking us to write more than
+	 * they sent. CVE-2017-12163.
+	 */
+	remaining = smbreq_bufrem(req, data);
+	if (numtowrite > remaining) {
+		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+		END_PROFILE(SMBwriteunlock);
+		return;
+	}
+
 	if (!fsp->print_file && numtowrite > 0) {
 		init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
 		    (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -4272,6 +4292,7 @@ void reply_write(struct smb_request *req)
 {
 	connection_struct *conn = req->conn;
 	size_t numtowrite;
+	size_t remaining;
 	ssize_t nwritten = -1;
 	SMB_OFF_T startpos;
 	const char *data;
@@ -4312,6 +4333,17 @@ void reply_write(struct smb_request *req)
 	startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
 	data = (const char *)req->buf + 3;
 
+	/*
+	 * Ensure client isn't asking us to write more than
+	 * they sent. CVE-2017-12163.
+	 */
+	remaining = smbreq_bufrem(req, data);
+	if (numtowrite > remaining) {
+		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+		END_PROFILE(SMBwrite);
+		return;
+	}
+
 	if (!fsp->print_file) {
 		init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
 			(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -4523,6 +4555,9 @@ void reply_write_and_X(struct smb_request *req)
 			return;
 		}
 	} else {
+		/*
+		 * This already protects us against CVE-2017-12163.
+		 */
 		if (smb_doff > smblen || smb_doff + numtowrite < numtowrite ||
 				smb_doff + numtowrite > smblen) {
 			reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
@@ -4892,6 +4927,7 @@ void reply_writeclose(struct smb_request *req)
 {
 	connection_struct *conn = req->conn;
 	size_t numtowrite;
+	size_t remaining;
 	ssize_t nwritten = -1;
 	NTSTATUS close_status = NT_STATUS_OK;
 	SMB_OFF_T startpos;
@@ -4925,6 +4961,17 @@ void reply_writeclose(struct smb_request *req)
 	mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
 	data = (const char *)req->buf + 1;
 
+	/*
+	 * Ensure client isn't asking us to write more than
+	 * they sent. CVE-2017-12163.
+	 */
+	remaining = smbreq_bufrem(req, data);
+	if (numtowrite > remaining) {
+		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+		END_PROFILE(SMBwriteclose);
+		return;
+	}
+
 	if (!fsp->print_file) {
 		init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
 		    (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -5495,6 +5542,9 @@ void reply_printwrite(struct smb_request *req)
 
 	numtowrite = SVAL(req->buf, 1);
 
+	/*
+	 * This already protects us against CVE-2017-12163.
+	 */
 	if (req->buflen < numtowrite + 3) {
 		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
 		END_PROFILE(SMBsplwr);
-- 
2.13.5
Commit	Line	Data
d8953998 AF	1	From 9f1a51917649795123bedbefdea678317d392b48 Mon Sep 17 00:00:00 2001
	2	From: Jeremy Allison <jra@samba.org>
	3	Date: Fri, 8 Sep 2017 10:13:14 -0700
	4	Subject: [PATCH] CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from
	5	writing server memory to file.
	6
	7	BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020
	8
	9	Signed-off-by: Jeremy Allison <jra@samba.org>
	10	Signed-off-by: Stefan Metzmacher <metze@samba.org>
	11	---
	12	source3/smbd/reply.c \| 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
	13	1 file changed, 50 insertions(+)
	14
	15	diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
	16	index 1583c2358bb..9625670d653 100644
	17	--- a/source3/smbd/reply.c
	18	+++ b/source3/smbd/reply.c
	19	@@ -3977,6 +3977,9 @@ void reply_writebraw(struct smb_request *req)
	20	}
	21
	22	/* Ensure we don't write bytes past the end of this packet. */
	23	+ /*
	24	+ * This already protects us against CVE-2017-12163.
	25	+ */
	26	if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {
	27	reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
	28	error_to_writebrawerr(req);
	29	@@ -4078,6 +4081,11 @@ void reply_writebraw(struct smb_request *req)
	30	exit_server_cleanly("secondary writebraw failed");
	31	}
	32
	33	+ /*
	34	+ * We are not vulnerable to CVE-2017-12163
	35	+ * here as we are guarenteed to have numtowrite
	36	+ * bytes available - we just read from the client.
	37	+ */
	38	nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);
	39	if (nwritten == -1) {
	40	TALLOC_FREE(buf);
	41	@@ -4159,6 +4167,7 @@ void reply_writeunlock(struct smb_request *req)
	42	connection_struct *conn = req->conn;
	43	ssize_t nwritten = -1;
	44	size_t numtowrite;
	45	+ size_t remaining;
	46	SMB_OFF_T startpos;
	47	const char *data;
	48	NTSTATUS status = NT_STATUS_OK;
	49	@@ -4191,6 +4200,17 @@ void reply_writeunlock(struct smb_request *req)
	50	startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
	51	data = (const char *)req->buf + 3;
	52
	53	+ /*
	54	+ * Ensure client isn't asking us to write more than
	55	+ * they sent. CVE-2017-12163.
	56	+ */
	57	+ remaining = smbreq_bufrem(req, data);
	58	+ if (numtowrite > remaining) {
	59	+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
	60	+ END_PROFILE(SMBwriteunlock);
	61	+ return;
	62	+ }
	63	+
	64	if (!fsp->print_file && numtowrite > 0) {
65	init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
66	(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
67	@@ -4272,6 +4292,7 @@ void reply_write(struct smb_request *req)
68	{
69	connection_struct *conn = req->conn;
70	size_t numtowrite;
71	+ size_t remaining;
72	ssize_t nwritten = -1;
73	SMB_OFF_T startpos;
74	const char *data;
75	@@ -4312,6 +4333,17 @@ void reply_write(struct smb_request *req)
76	startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
77	data = (const char *)req->buf + 3;
78
79	+ /*
80	+ * Ensure client isn't asking us to write more than
81	+ * they sent. CVE-2017-12163.
82	+ */
83	+ remaining = smbreq_bufrem(req, data);
84	+ if (numtowrite > remaining) {
85	+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
86	+ END_PROFILE(SMBwrite);
87	+ return;
88	+ }
89	+
90	if (!fsp->print_file) {
91	init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
92	(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
93	@@ -4523,6 +4555,9 @@ void reply_write_and_X(struct smb_request *req)
94	return;
95	}
96	} else {
97	+ /*
98	+ * This already protects us against CVE-2017-12163.
99	+ */
100	if (smb_doff > smblen \|\| smb_doff + numtowrite < numtowrite \|\|
101	smb_doff + numtowrite > smblen) {
102	reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
103	@@ -4892,6 +4927,7 @@ void reply_writeclose(struct smb_request *req)
104	{
105	connection_struct *conn = req->conn;
106	size_t numtowrite;
107	+ size_t remaining;
108	ssize_t nwritten = -1;
109	NTSTATUS close_status = NT_STATUS_OK;
110	SMB_OFF_T startpos;
111	@@ -4925,6 +4961,17 @@ void reply_writeclose(struct smb_request *req)
112	mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
113	data = (const char *)req->buf + 1;
114
115	+ /*
116	+ * Ensure client isn't asking us to write more than
117	+ * they sent. CVE-2017-12163.
118	+ */
119	+ remaining = smbreq_bufrem(req, data);
120	+ if (numtowrite > remaining) {
121	+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
122	+ END_PROFILE(SMBwriteclose);
123	+ return;
124	+ }
125	+
126	if (!fsp->print_file) {
127	init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
128	(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
129	@@ -5495,6 +5542,9 @@ void reply_printwrite(struct smb_request *req)
130
131	numtowrite = SVAL(req->buf, 1);
132
133	+ /*
134	+ * This already protects us against CVE-2017-12163.
135	+ */
136	if (req->buflen < numtowrite + 3) {
137	reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
138	END_PROFILE(SMBsplwr);
139	--
140	2.13.5
141