rpms/samba/F-7 samba-3.0.28a-CVE-2008-1105.patch, NONE, 1.1 samba.spec, 1.142, 1.143
Simo Sorce (simo)
fedora-extras-commits at redhat.com
Wed May 28 13:54:19 UTC 2008
Author: simo
Update of /cvs/pkgs/rpms/samba/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv23259
Modified Files:
samba.spec
Added Files:
samba-3.0.28a-CVE-2008-1105.patch
Log Message:
* Wed May 28 2008 Simo Sorce <ssorce at redhat.com> 3.0.28a-1.fc7
- Fix CVE-2008-1105
samba-3.0.28a-CVE-2008-1105.patch:
--- NEW FILE samba-3.0.28a-CVE-2008-1105.patch ---
diff --git a/source/client/client.c b/source/client/client.c
index 3f96f63..e87623a 100644
--- a/source/client/client.c
+++ b/source/client/client.c
@@ -3626,7 +3626,7 @@ static void readline_callback(void)
session keepalives and then drop them here.
*/
if (FD_ISSET(cli->fd,&fds)) {
- if (!receive_smb(cli->fd,cli->inbuf,0)) {
+ if (!receive_smb(cli->fd,cli->inbuf,cli->bufsize,0)) {
DEBUG(0, ("Read from server failed, maybe it closed the "
"connection\n"));
return;
diff --git a/source/client/smbctool.c b/source/client/smbctool.c
index 2063418..a18505b 100644
--- a/source/client/smbctool.c
+++ b/source/client/smbctool.c
@@ -3304,7 +3304,7 @@ static void readline_callback(void)
session keepalives and then drop them here.
*/
if (FD_ISSET(cli->fd,&fds)) {
- receive_smb(cli->fd,cli->inbuf,0);
+ receive_smb(cli->fd,cli->inbuf,cli->bufsize,0);
goto again;
}
diff --git a/source/lib/util_sock.c b/source/lib/util_sock.c
index 94c5e82..4715ca7 100644
--- a/source/lib/util_sock.c
+++ b/source/lib/util_sock.c
@@ -654,14 +654,13 @@ ssize_t read_smb_length(int fd, char *inbuf, unsigned int timeout)
}
/****************************************************************************
- Read an smb from a fd. Note that the buffer *MUST* be of size
- BUFFER_SIZE+SAFETY_MARGIN.
+ Read an smb from a fd.
The timeout is in milliseconds.
This function will return on receipt of a session keepalive packet.
Doesn't check the MAC on signed packets.
****************************************************************************/
-BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout)
+BOOL receive_smb_raw(int fd, char *buffer, size_t buflen, unsigned int timeout)
{
ssize_t len,ret;
@@ -682,25 +681,18 @@ BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout)
return False;
}
- /*
- * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
- * of header. Don't print the error if this fits.... JRA.
- */
-
- if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
+ if (len > buflen) {
DEBUG(0,("Invalid packet length! (%lu bytes).\n",(unsigned long)len));
- if (len > BUFFER_SIZE + (SAFETY_MARGIN/2)) {
- /*
- * Correct fix. smb_read_error may have already been
- * set. Only set it here if not already set. Global
- * variables still suck :-). JRA.
- */
+ /*
+ * smb_read_error may have already been
+ * set. Only set it here if not already set. Global
+ * variables still suck :-). JRA.
+ */
- if (smb_read_error == 0)
- smb_read_error = READ_ERROR;
- return False;
- }
+ if (smb_read_error == 0)
+ smb_read_error = READ_ERROR;
+ return False;
}
if(len > 0) {
@@ -730,9 +722,9 @@ BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout)
Checks the MAC on signed packets.
****************************************************************************/
-BOOL receive_smb(int fd, char *buffer, unsigned int timeout)
+BOOL receive_smb(int fd, char *buffer, size_t buflen, unsigned int timeout)
{
- if (!receive_smb_raw(fd, buffer, timeout)) {
+ if (!receive_smb_raw(fd, buffer, buflen, timeout)) {
return False;
}
diff --git a/source/libsmb/clientgen.c b/source/libsmb/clientgen.c
index c6cef08..7d7ab9e 100644
--- a/source/libsmb/clientgen.c
+++ b/source/libsmb/clientgen.c
@@ -44,8 +44,7 @@ int cli_set_port(struct cli_state *cli, int port)
}
/****************************************************************************
- Read an smb from a fd ignoring all keepalive packets. Note that the buffer
- *MUST* be of size BUFFER_SIZE+SAFETY_MARGIN.
+ Read an smb from a fd ignoring all keepalive packets.
The timeout is in milliseconds
This is exactly the same as receive_smb except that it never returns
@@ -54,12 +53,12 @@ int cli_set_port(struct cli_state *cli, int port)
should never go into a blocking read.
****************************************************************************/
-static BOOL client_receive_smb(int fd,char *buffer, unsigned int timeout)
+static BOOL client_receive_smb(int fd,char *buffer, size_t bufsize, unsigned int timeout)
{
BOOL ret;
for(;;) {
- ret = receive_smb_raw(fd, buffer, timeout);
+ ret = receive_smb_raw(fd, buffer, bufsize, timeout);
if (!ret) {
DEBUG(10,("client_receive_smb failed\n"));
@@ -88,7 +87,7 @@ BOOL cli_receive_smb(struct cli_state *cli)
return False;
again:
- ret = client_receive_smb(cli->fd,cli->inbuf,cli->timeout);
+ ret = client_receive_smb(cli->fd,cli->inbuf, cli->bufsize, cli->timeout);
if (ret) {
/* it might be an oplock break request */
diff --git a/source/smbd/process.c b/source/smbd/process.c
index 8dec719..3d31c29 100644
--- a/source/smbd/process.c
+++ b/source/smbd/process.c
@@ -521,7 +521,8 @@ static BOOL receive_message_or_smb(char *buffer, int buffer_len, int timeout)
goto again;
}
- return receive_smb(smbd_server_fd(), buffer, 0);
+ return receive_smb(smbd_server_fd(), buffer,
+ BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE, 0);
}
/*
diff --git a/source/utils/smbfilter.c b/source/utils/smbfilter.c
index 97d2223..2152e53 100644
--- a/source/utils/smbfilter.c
+++ b/source/utils/smbfilter.c
@@ -140,7 +140,7 @@ static void filter_child(int c, struct in_addr dest_ip)
if (num <= 0) continue;
if (c != -1 && FD_ISSET(c, &fds)) {
- if (!receive_smb(c, packet, 0)) {
+ if (!receive_smb(c, packet, BUFFER_SIZE, 0)) {
d_printf("client closed connection\n");
exit(0);
}
@@ -151,7 +151,7 @@ static void filter_child(int c, struct in_addr dest_ip)
}
}
if (s != -1 && FD_ISSET(s, &fds)) {
- if (!receive_smb(s, packet, 0)) {
+ if (!receive_smb(s, packet, BUFFER_SIZE, 0)) {
d_printf("server closed connection\n");
exit(0);
}
Index: samba.spec
===================================================================
RCS file: /cvs/pkgs/rpms/samba/F-7/samba.spec,v
retrieving revision 1.142
retrieving revision 1.143
diff -u -r1.142 -r1.143
--- samba.spec 9 Mar 2008 17:42:58 -0000 1.142
+++ samba.spec 28 May 2008 13:53:37 -0000 1.143
@@ -2,7 +2,7 @@
Name: samba
Epoch: 0
Version: 3.0.28a
-Release: 0%{?dist}
+Release: 1%{?dist}
License: GPLv2+ and LGPLv2+
Group: System Environment/Daemons
URL: http://www.samba.org/
@@ -41,6 +41,7 @@
Patch110: samba-3.0.21pre1-smbspool.patch
Patch111: samba-3.0.13-smbclient.patch
Patch200: samba-3.0.25rc1-inotifiy.patch
+Patch201: samba-3.0.28a-CVE-2008-1105.patch
Requires(pre): samba-common = %{epoch}:%{version}-%{release}
Requires: pam >= 0:0.64
@@ -157,6 +158,7 @@
%patch110 -p1 -b .smbspool
%patch111 -p1 -b .smbclient
%patch200 -p0 -b .inotify
+%patch201 -p1 -b .CVE-2008-1105
mv source/VERSION source/VERSION.orig
sed -e 's/SAMBA_VERSION_VENDOR_SUFFIX=$/&\"%{release}\"/' < source/VERSION.orig > source/VERSION
@@ -642,6 +644,9 @@
#%{_includedir}/libmsrpc.h
%changelog
+* Wed May 28 2008 Simo Sorce <ssorce at redhat.com> 3.0.28a-1.fc7
+- Fix CVE-2008-1105
+
* Sun Mar 9 2008 Simo Sorce <ssorce at redhat.com> 3.0.28a-0.fc7
- New upstream bugfix release
More information about the fedora-extras-commits
mailing list