samba36: fix some security problems

[openwrt/openwrt.git] / package / network / services / samba36 / patches / 031-CVE-2017-12163-v3.6.patch

diff --git a/package/network/services/samba36/patches/031-CVE-2017-12163-v3.6.patch b/package/network/services/samba36/patches/031-CVE-2017-12163-v3.6.patch
new file mode 100644 (file)
index 0000000..d7faa13
--- /dev/null
+++ b/package/network/services/samba36/patches/031-CVE-2017-12163-v3.6.patch
@@ -0,0 +1,136 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Wed, 20 Sep 2017 20:02:03 +0200
+Subject: CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from
+ writing server memory to file.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020
+
+Author: Jeremy Allison <jra@samba.org>
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/smbd/reply.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 50 insertions(+)
+
+--- a/source3/smbd/reply.c
++++ b/source3/smbd/reply.c
+@@ -3979,6 +3979,9 @@ void reply_writebraw(struct smb_request
+       }
+ 
+       /* Ensure we don't write bytes past the end of this packet. */
++      /*
++       * This already protects us against CVE-2017-12163.
++       */
+       if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {
+               reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+               error_to_writebrawerr(req);
+@@ -4080,6 +4083,11 @@ void reply_writebraw(struct smb_request
+                       exit_server_cleanly("secondary writebraw failed");
+               }
+ 
++              /*
++               * We are not vulnerable to CVE-2017-12163
++               * here as we are guarenteed to have numtowrite
++               * bytes available - we just read from the client.
++               */
+               nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);
+               if (nwritten == -1) {
+                       TALLOC_FREE(buf);
+@@ -4161,6 +4169,7 @@ void reply_writeunlock(struct smb_reques
+       connection_struct *conn = req->conn;
+       ssize_t nwritten = -1;
+       size_t numtowrite;
++      size_t remaining;
+       SMB_OFF_T startpos;
+       const char *data;
+       NTSTATUS status = NT_STATUS_OK;
+@@ -4193,6 +4202,17 @@ void reply_writeunlock(struct smb_reques
+       startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
+       data = (const char *)req->buf + 3;
+ 
++      /*
++       * Ensure client isn't asking us to write more than
++       * they sent. CVE-2017-12163.
++       */
++      remaining = smbreq_bufrem(req, data);
++      if (numtowrite > remaining) {
++              reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
++              END_PROFILE(SMBwriteunlock);
++              return;
++      }
++
+       if (!fsp->print_file && numtowrite > 0) {
+               init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
+                   (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
+@@ -4274,6 +4294,7 @@ void reply_write(struct smb_request *req
+ {
+       connection_struct *conn = req->conn;
+       size_t numtowrite;
++      size_t remaining;
+       ssize_t nwritten = -1;
+       SMB_OFF_T startpos;
+       const char *data;
+@@ -4314,6 +4335,17 @@ void reply_write(struct smb_request *req
+       startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
+       data = (const char *)req->buf + 3;
+ 
++      /*
++       * Ensure client isn't asking us to write more than
++       * they sent. CVE-2017-12163.
++       */
++      remaining = smbreq_bufrem(req, data);
++      if (numtowrite > remaining) {
++              reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
++              END_PROFILE(SMBwrite);
++              return;
++      }
++
+       if (!fsp->print_file) {
+               init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
+                       (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
+@@ -4525,6 +4557,9 @@ void reply_write_and_X(struct smb_reques
+                       return;
+               }
+       } else {
++              /*
++               * This already protects us against CVE-2017-12163.
++               */
+               if (smb_doff > smblen || smb_doff + numtowrite < numtowrite ||
+                               smb_doff + numtowrite > smblen) {
+                       reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+@@ -4894,6 +4929,7 @@ void reply_writeclose(struct smb_request
+ {
+       connection_struct *conn = req->conn;
+       size_t numtowrite;
++      size_t remaining;
+       ssize_t nwritten = -1;
+       NTSTATUS close_status = NT_STATUS_OK;
+       SMB_OFF_T startpos;
+@@ -4927,6 +4963,17 @@ void reply_writeclose(struct smb_request
+       mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
+       data = (const char *)req->buf + 1;
+ 
++      /*
++       * Ensure client isn't asking us to write more than
++       * they sent. CVE-2017-12163.
++       */
++      remaining = smbreq_bufrem(req, data);
++      if (numtowrite > remaining) {
++              reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
++              END_PROFILE(SMBwriteclose);
++              return;
++      }
++
+       if (!fsp->print_file) {
+               init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
+                   (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
+@@ -5497,6 +5544,9 @@ void reply_printwrite(struct smb_request
+ 
+       numtowrite = SVAL(req->buf, 1);
+ 
++      /*
++       * This already protects us against CVE-2017-12163.
++       */
+       if (req->buflen < numtowrite + 3) {
+               reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+               END_PROFILE(SMBsplwr);