samba: import security updates from redhead

[ipfire-2.x.git] / src / patches / samba / CVE-2017-12163.patch

From 9f1a51917649795123bedbefdea678317d392b48 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 8 Sep 2017 10:13:14 -0700
Subject: [PATCH] CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from
 writing server memory to file.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source3/smbd/reply.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 1583c2358bb..9625670d653 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -3977,6 +3977,9 @@ void reply_writebraw(struct smb_request *req)
        }
 
        /* Ensure we don't write bytes past the end of this packet. */
+       /*
+        * This already protects us against CVE-2017-12163.
+        */
        if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {
                reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
                error_to_writebrawerr(req);
@@ -4078,6 +4081,11 @@ void reply_writebraw(struct smb_request *req)
                        exit_server_cleanly("secondary writebraw failed");
                }
 
+               /*
+                * We are not vulnerable to CVE-2017-12163
+                * here as we are guarenteed to have numtowrite
+                * bytes available - we just read from the client.
+                */
                nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);
                if (nwritten == -1) {
                        TALLOC_FREE(buf);
@@ -4159,6 +4167,7 @@ void reply_writeunlock(struct smb_request *req)
        connection_struct *conn = req->conn;
        ssize_t nwritten = -1;
        size_t numtowrite;
+       size_t remaining;
        SMB_OFF_T startpos;
        const char *data;
        NTSTATUS status = NT_STATUS_OK;
@@ -4191,6 +4200,17 @@ void reply_writeunlock(struct smb_request *req)
        startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
        data = (const char *)req->buf + 3;
 
+       /*
+        * Ensure client isn't asking us to write more than
+        * they sent. CVE-2017-12163.
+        */
+       remaining = smbreq_bufrem(req, data);
+       if (numtowrite > remaining) {
+               reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+               END_PROFILE(SMBwriteunlock);
+               return;
+       }
+
        if (!fsp->print_file && numtowrite > 0) {
                init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
                    (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -4272,6 +4292,7 @@ void reply_write(struct smb_request *req)
 {
        connection_struct *conn = req->conn;
        size_t numtowrite;
+       size_t remaining;
        ssize_t nwritten = -1;
        SMB_OFF_T startpos;
        const char *data;
@@ -4312,6 +4333,17 @@ void reply_write(struct smb_request *req)
        startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
        data = (const char *)req->buf + 3;
 
+       /*
+        * Ensure client isn't asking us to write more than
+        * they sent. CVE-2017-12163.
+        */
+       remaining = smbreq_bufrem(req, data);
+       if (numtowrite > remaining) {
+               reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+               END_PROFILE(SMBwrite);
+               return;
+       }
+
        if (!fsp->print_file) {
                init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
                        (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -4523,6 +4555,9 @@ void reply_write_and_X(struct smb_request *req)
                        return;
                }
        } else {
+               /*
+                * This already protects us against CVE-2017-12163.
+                */
                if (smb_doff > smblen || smb_doff + numtowrite < numtowrite ||
                                smb_doff + numtowrite > smblen) {
                        reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
@@ -4892,6 +4927,7 @@ void reply_writeclose(struct smb_request *req)
 {
        connection_struct *conn = req->conn;
        size_t numtowrite;
+       size_t remaining;
        ssize_t nwritten = -1;
        NTSTATUS close_status = NT_STATUS_OK;
        SMB_OFF_T startpos;
@@ -4925,6 +4961,17 @@ void reply_writeclose(struct smb_request *req)
        mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
        data = (const char *)req->buf + 1;
 
+       /*
+        * Ensure client isn't asking us to write more than
+        * they sent. CVE-2017-12163.
+        */
+       remaining = smbreq_bufrem(req, data);
+       if (numtowrite > remaining) {
+               reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+               END_PROFILE(SMBwriteclose);
+               return;
+       }
+
        if (!fsp->print_file) {
                init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
                    (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -5495,6 +5542,9 @@ void reply_printwrite(struct smb_request *req)
 
        numtowrite = SVAL(req->buf, 1);
 
+       /*
+        * This already protects us against CVE-2017-12163.
+        */
        if (req->buflen < numtowrite + 3) {
                reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
                END_PROFILE(SMBsplwr);
-- 
2.13.5