package/network/services/samba36/patches/031-CVE-2017-12163-v3.6.patch

   1 From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
   2 Date: Wed, 20 Sep 2017 20:02:03 +0200
   3 Subject: CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from
   4  writing server memory to file.
   5
   6 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020
   7
   8 Author: Jeremy Allison <jra@samba.org>
   9 Signed-off-by: Jeremy Allison <jra@samba.org>
  10 Signed-off-by: Stefan Metzmacher <metze@samba.org>
  11 ---
  12  source3/smbd/reply.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
  13  1 file changed, 50 insertions(+)
  14
  15 --- a/source3/smbd/reply.c
  16 +++ b/source3/smbd/reply.c
  17 @@ -3979,6 +3979,9 @@ void reply_writebraw(struct smb_request
  18         }
  19
  20         /* Ensure we don't write bytes past the end of this packet. */
  21 +       /*
  22 +        * This already protects us against CVE-2017-12163.
  23 +        */
  24         if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {
  25                 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
  26                 error_to_writebrawerr(req);
  27 @@ -4080,6 +4083,11 @@ void reply_writebraw(struct smb_request
  28                         exit_server_cleanly("secondary writebraw failed");
  29                 }
  30
  31 +               /*
  32 +                * We are not vulnerable to CVE-2017-12163
  33 +                * here as we are guarenteed to have numtowrite
  34 +                * bytes available - we just read from the client.
  35 +                */
  36                 nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);
  37                 if (nwritten == -1) {
  38                         TALLOC_FREE(buf);
  39 @@ -4161,6 +4169,7 @@ void reply_writeunlock(struct smb_reques
  40         connection_struct *conn = req->conn;
  41         ssize_t nwritten = -1;
  42         size_t numtowrite;
  43 +       size_t remaining;
  44         SMB_OFF_T startpos;
  45         const char *data;
  46         NTSTATUS status = NT_STATUS_OK;
  47 @@ -4193,6 +4202,17 @@ void reply_writeunlock(struct smb_reques
  48         startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
  49         data = (const char *)req->buf + 3;
  50
  51 +       /*
  52 +        * Ensure client isn't asking us to write more than
  53 +        * they sent. CVE-2017-12163.
  54 +        */
  55 +       remaining = smbreq_bufrem(req, data);
  56 +       if (numtowrite > remaining) {
  57 +               reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
  58 +               END_PROFILE(SMBwriteunlock);
  59 +               return;
  60 +       }
  61 +
  62         if (!fsp->print_file && numtowrite > 0) {
  63                 init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
  64                     (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
  65 @@ -4274,6 +4294,7 @@ void reply_write(struct smb_request *req
  66  {
  67         connection_struct *conn = req->conn;
  68         size_t numtowrite;
  69 +       size_t remaining;
  70         ssize_t nwritten = -1;
  71         SMB_OFF_T startpos;
  72         const char *data;
  73 @@ -4314,6 +4335,17 @@ void reply_write(struct smb_request *req
  74         startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
  75         data = (const char *)req->buf + 3;
  76
  77 +       /*
  78 +        * Ensure client isn't asking us to write more than
  79 +        * they sent. CVE-2017-12163.
  80 +        */
  81 +       remaining = smbreq_bufrem(req, data);
  82 +       if (numtowrite > remaining) {
  83 +               reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
  84 +               END_PROFILE(SMBwrite);
  85 +               return;
  86 +       }
  87 +
  88         if (!fsp->print_file) {
  89                 init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
  90                         (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
  91 @@ -4525,6 +4557,9 @@ void reply_write_and_X(struct smb_reques
  92                         return;
  93                 }
  94         } else {
  95 +               /*
  96 +                * This already protects us against CVE-2017-12163.
  97 +                */
  98                 if (smb_doff > smblen || smb_doff + numtowrite < numtowrite ||
  99                                 smb_doff + numtowrite > smblen) {
 100                         reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
 101 @@ -4894,6 +4929,7 @@ void reply_writeclose(struct smb_request
 102  {
 103         connection_struct *conn = req->conn;
 104         size_t numtowrite;
 105 +       size_t remaining;
 106         ssize_t nwritten = -1;
 107         NTSTATUS close_status = NT_STATUS_OK;
 108         SMB_OFF_T startpos;
 109 @@ -4927,6 +4963,17 @@ void reply_writeclose(struct smb_request
 110         mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
 111         data = (const char *)req->buf + 1;
 112
 113 +       /*
 114 +        * Ensure client isn't asking us to write more than
 115 +        * they sent. CVE-2017-12163.
 116 +        */
 117 +       remaining = smbreq_bufrem(req, data);
 118 +       if (numtowrite > remaining) {
 119 +               reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
 120 +               END_PROFILE(SMBwriteclose);
 121 +               return;
 122 +       }
 123 +
 124         if (!fsp->print_file) {
 125                 init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
 126                     (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
 127 @@ -5497,6 +5544,9 @@ void reply_printwrite(struct smb_request
 128
 129         numtowrite = SVAL(req->buf, 1);
 130
 131 +       /*
 132 +        * This already protects us against CVE-2017-12163.
 133 +        */
 134         if (req->buflen < numtowrite + 3) {
 135                 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
 136                 END_PROFILE(SMBsplwr);