From: Jeremy Allison <jra@samba.org>
Date: Tue, 7 Jun 2022 16:53:08 +0000 (-0700)
Subject: CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro.
X-Git-Tag: samba-4.17.0rc1~266
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3ddc9344c2fa7461336899fbddb0bb80995e9170;p=thirdparty%2Fsamba.git

CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro.

Fixes the raw.write.bad-write test.

NB. We need the two (==0) changes in source3/smbd/smb2_reply.c
as the gcc optimizer now knows that the return from
smbreq_bufrem() can never be less than zero.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085

Remove knownfail.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): Jule Anger <janger@samba.org>
Autobuild-Date(master): Wed Jul 27 11:46:46 UTC 2022 on sn-devel-184
---

diff --git a/selftest/knownfail.d/bad-write b/selftest/knownfail.d/bad-write
deleted file mode 100644
index 5fc16606a13..00000000000
--- a/selftest/knownfail.d/bad-write
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba3.raw.write.bad-write\(nt4_dc_smb1\)
-^samba3.raw.write.bad-write\(ad_dc_smb1\)
diff --git a/source3/include/smb_macros.h b/source3/include/smb_macros.h
index 85ef221ed18..8271dbddfce 100644
--- a/source3/include/smb_macros.h
+++ b/source3/include/smb_macros.h
@@ -151,7 +151,7 @@
 #define smb_buflen(buf) (SVAL(buf,smb_vwv0 + (int)CVAL(buf, smb_wct)*2))
 
 /* the remaining number of bytes in smb buffer 'buf' from pointer 'p'. */
-#define smbreq_bufrem(req, p) (req->buflen - PTR_DIFF(p, req->buf))
+#define smbreq_bufrem(req, p) ((req)->buflen < PTR_DIFF((p), (req)->buf) ? 0 : (req)->buflen - PTR_DIFF((p), (req)->buf))
 
 
 /* Note that chain_size must be available as an extern int to this macro. */
diff --git a/source3/smbd/smb2_reply.c b/source3/smbd/smb2_reply.c
index 673c1e2216b..bf992025958 100644
--- a/source3/smbd/smb2_reply.c
+++ b/source3/smbd/smb2_reply.c
@@ -344,7 +344,7 @@ size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req,
 {
 	ssize_t bufrem = smbreq_bufrem(req, src);
 
-	if (bufrem < 0) {
+	if (bufrem == 0) {
 		*err = NT_STATUS_INVALID_PARAMETER;
 		return 0;
 	}
@@ -382,7 +382,7 @@ size_t srvstr_pull_req_talloc(TALLOC_CTX *ctx, struct smb_request *req,
 {
 	ssize_t bufrem = smbreq_bufrem(req, src);
 
-	if (bufrem < 0) {
+	if (bufrem == 0) {
 		return 0;
 	}