mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020 Signed-off-by: Jeremy Allison <jra@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Karolin Seeger <kseeger@samba.org> Autobuild-Date(master): Wed Sep 20 17:06:23 CEST 2017 on sn-devel-144
This commit is contained in:
parent
35051a860c
commit
b092ed3842
@ -4474,6 +4474,9 @@ void reply_writebraw(struct smb_request *req)
|
||||
}
|
||||
|
||||
/* Ensure we don't write bytes past the end of this packet. */
|
||||
/*
|
||||
* This already protects us against CVE-2017-12163.
|
||||
*/
|
||||
if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {
|
||||
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
|
||||
error_to_writebrawerr(req);
|
||||
@ -4574,6 +4577,11 @@ void reply_writebraw(struct smb_request *req)
|
||||
exit_server_cleanly("secondary writebraw failed");
|
||||
}
|
||||
|
||||
/*
|
||||
* We are not vulnerable to CVE-2017-12163
|
||||
* here as we are guarenteed to have numtowrite
|
||||
* bytes available - we just read from the client.
|
||||
*/
|
||||
nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);
|
||||
if (nwritten == -1) {
|
||||
TALLOC_FREE(buf);
|
||||
@ -4647,6 +4655,7 @@ void reply_writeunlock(struct smb_request *req)
|
||||
connection_struct *conn = req->conn;
|
||||
ssize_t nwritten = -1;
|
||||
size_t numtowrite;
|
||||
size_t remaining;
|
||||
off_t startpos;
|
||||
const char *data;
|
||||
NTSTATUS status = NT_STATUS_OK;
|
||||
@ -4679,6 +4688,17 @@ void reply_writeunlock(struct smb_request *req)
|
||||
startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
|
||||
data = (const char *)req->buf + 3;
|
||||
|
||||
/*
|
||||
* Ensure client isn't asking us to write more than
|
||||
* they sent. CVE-2017-12163.
|
||||
*/
|
||||
remaining = smbreq_bufrem(req, data);
|
||||
if (numtowrite > remaining) {
|
||||
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
|
||||
END_PROFILE(SMBwriteunlock);
|
||||
return;
|
||||
}
|
||||
|
||||
if (!fsp->print_file && numtowrite > 0) {
|
||||
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
|
||||
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
|
||||
@ -4756,6 +4776,7 @@ void reply_write(struct smb_request *req)
|
||||
{
|
||||
connection_struct *conn = req->conn;
|
||||
size_t numtowrite;
|
||||
size_t remaining;
|
||||
ssize_t nwritten = -1;
|
||||
off_t startpos;
|
||||
const char *data;
|
||||
@ -4796,6 +4817,17 @@ void reply_write(struct smb_request *req)
|
||||
startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
|
||||
data = (const char *)req->buf + 3;
|
||||
|
||||
/*
|
||||
* Ensure client isn't asking us to write more than
|
||||
* they sent. CVE-2017-12163.
|
||||
*/
|
||||
remaining = smbreq_bufrem(req, data);
|
||||
if (numtowrite > remaining) {
|
||||
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
|
||||
END_PROFILE(SMBwrite);
|
||||
return;
|
||||
}
|
||||
|
||||
if (!fsp->print_file) {
|
||||
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
|
||||
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
|
||||
@ -5018,6 +5050,9 @@ void reply_write_and_X(struct smb_request *req)
|
||||
goto out;
|
||||
}
|
||||
} else {
|
||||
/*
|
||||
* This already protects us against CVE-2017-12163.
|
||||
*/
|
||||
if (smb_doff > smblen || smb_doff + numtowrite < numtowrite ||
|
||||
smb_doff + numtowrite > smblen) {
|
||||
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
|
||||
@ -5444,6 +5479,7 @@ void reply_writeclose(struct smb_request *req)
|
||||
{
|
||||
connection_struct *conn = req->conn;
|
||||
size_t numtowrite;
|
||||
size_t remaining;
|
||||
ssize_t nwritten = -1;
|
||||
NTSTATUS close_status = NT_STATUS_OK;
|
||||
off_t startpos;
|
||||
@ -5477,6 +5513,17 @@ void reply_writeclose(struct smb_request *req)
|
||||
mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
|
||||
data = (const char *)req->buf + 1;
|
||||
|
||||
/*
|
||||
* Ensure client isn't asking us to write more than
|
||||
* they sent. CVE-2017-12163.
|
||||
*/
|
||||
remaining = smbreq_bufrem(req, data);
|
||||
if (numtowrite > remaining) {
|
||||
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
|
||||
END_PROFILE(SMBwriteclose);
|
||||
return;
|
||||
}
|
||||
|
||||
if (fsp->print_file == NULL) {
|
||||
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
|
||||
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
|
||||
@ -6069,6 +6116,9 @@ void reply_printwrite(struct smb_request *req)
|
||||
|
||||
numtowrite = SVAL(req->buf, 1);
|
||||
|
||||
/*
|
||||
* This already protects us against CVE-2017-12163.
|
||||
*/
|
||||
if (req->buflen < numtowrite + 3) {
|
||||
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
|
||||
END_PROFILE(SMBsplwr);
|
||||
|
Loading…
Reference in New Issue
Block a user