OpenWrt – Blame information for rev 4

Subversion Repositories:
Rev:
Rev Author Line No. Line
4 office 1 From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
2 Date: Wed, 20 Sep 2017 20:02:03 +0200
3 Subject: CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from
4 writing server memory to file.
5  
6 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020
7  
8 Author: Jeremy Allison <jra@samba.org>
9 Signed-off-by: Jeremy Allison <jra@samba.org>
10 Signed-off-by: Stefan Metzmacher <metze@samba.org>
11 ---
12 source3/smbd/reply.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
13 1 file changed, 50 insertions(+)
14  
15 --- a/source3/smbd/reply.c
16 +++ b/source3/smbd/reply.c
17 @@ -3979,6 +3979,9 @@ void reply_writebraw(struct smb_request
18 }
19  
20 /* Ensure we don't write bytes past the end of this packet. */
21 + /*
22 + * This already protects us against CVE-2017-12163.
23 + */
24 if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {
25 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
26 error_to_writebrawerr(req);
27 @@ -4080,6 +4083,11 @@ void reply_writebraw(struct smb_request
28 exit_server_cleanly("secondary writebraw failed");
29 }
30  
31 + /*
32 + * We are not vulnerable to CVE-2017-12163
33 + * here as we are guarenteed to have numtowrite
34 + * bytes available - we just read from the client.
35 + */
36 nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);
37 if (nwritten == -1) {
38 TALLOC_FREE(buf);
39 @@ -4161,6 +4169,7 @@ void reply_writeunlock(struct smb_reques
40 connection_struct *conn = req->conn;
41 ssize_t nwritten = -1;
42 size_t numtowrite;
43 + size_t remaining;
44 SMB_OFF_T startpos;
45 const char *data;
46 NTSTATUS status = NT_STATUS_OK;
47 @@ -4193,6 +4202,17 @@ void reply_writeunlock(struct smb_reques
48 startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
49 data = (const char *)req->buf + 3;
50  
51 + /*
52 + * Ensure client isn't asking us to write more than
53 + * they sent. CVE-2017-12163.
54 + */
55 + remaining = smbreq_bufrem(req, data);
56 + if (numtowrite > remaining) {
57 + reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
58 + END_PROFILE(SMBwriteunlock);
59 + return;
60 + }
61 +
62 if (!fsp->print_file && numtowrite > 0) {
63 init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
64 (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
65 @@ -4274,6 +4294,7 @@ void reply_write(struct smb_request *req
66 {
67 connection_struct *conn = req->conn;
68 size_t numtowrite;
69 + size_t remaining;
70 ssize_t nwritten = -1;
71 SMB_OFF_T startpos;
72 const char *data;
73 @@ -4314,6 +4335,17 @@ void reply_write(struct smb_request *req
74 startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
75 data = (const char *)req->buf + 3;
76  
77 + /*
78 + * Ensure client isn't asking us to write more than
79 + * they sent. CVE-2017-12163.
80 + */
81 + remaining = smbreq_bufrem(req, data);
82 + if (numtowrite > remaining) {
83 + reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
84 + END_PROFILE(SMBwrite);
85 + return;
86 + }
87 +
88 if (!fsp->print_file) {
89 init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
90 (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
91 @@ -4525,6 +4557,9 @@ void reply_write_and_X(struct smb_reques
92 return;
93 }
94 } else {
95 + /*
96 + * This already protects us against CVE-2017-12163.
97 + */
98 if (smb_doff > smblen || smb_doff + numtowrite < numtowrite ||
99 smb_doff + numtowrite > smblen) {
100 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
101 @@ -4894,6 +4929,7 @@ void reply_writeclose(struct smb_request
102 {
103 connection_struct *conn = req->conn;
104 size_t numtowrite;
105 + size_t remaining;
106 ssize_t nwritten = -1;
107 NTSTATUS close_status = NT_STATUS_OK;
108 SMB_OFF_T startpos;
109 @@ -4927,6 +4963,17 @@ void reply_writeclose(struct smb_request
110 mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
111 data = (const char *)req->buf + 1;
112  
113 + /*
114 + * Ensure client isn't asking us to write more than
115 + * they sent. CVE-2017-12163.
116 + */
117 + remaining = smbreq_bufrem(req, data);
118 + if (numtowrite > remaining) {
119 + reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
120 + END_PROFILE(SMBwriteclose);
121 + return;
122 + }
123 +
124 if (!fsp->print_file) {
125 init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
126 (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
127 @@ -5497,6 +5544,9 @@ void reply_printwrite(struct smb_request
128  
129 numtowrite = SVAL(req->buf, 1);
130  
131 + /*
132 + * This already protects us against CVE-2017-12163.
133 + */
134 if (req->buflen < numtowrite + 3) {
135 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
136 END_PROFILE(SMBsplwr);