137 lines
4.2 KiB
Diff
137 lines
4.2 KiB
Diff
|
From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
|
||
|
Date: Wed, 20 Sep 2017 20:02:03 +0200
|
||
|
Subject: CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from
|
||
|
writing server memory to file.
|
||
|
|
||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020
|
||
|
|
||
|
Author: Jeremy Allison <jra@samba.org>
|
||
|
Signed-off-by: Jeremy Allison <jra@samba.org>
|
||
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
||
|
---
|
||
|
source3/smbd/reply.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
|
||
|
1 file changed, 50 insertions(+)
|
||
|
|
||
|
--- a/source3/smbd/reply.c
|
||
|
+++ b/source3/smbd/reply.c
|
||
|
@@ -3979,6 +3979,9 @@ void reply_writebraw(struct smb_request
|
||
|
}
|
||
|
|
||
|
/* Ensure we don't write bytes past the end of this packet. */
|
||
|
+ /*
|
||
|
+ * This already protects us against CVE-2017-12163.
|
||
|
+ */
|
||
|
if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {
|
||
|
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
|
||
|
error_to_writebrawerr(req);
|
||
|
@@ -4080,6 +4083,11 @@ void reply_writebraw(struct smb_request
|
||
|
exit_server_cleanly("secondary writebraw failed");
|
||
|
}
|
||
|
|
||
|
+ /*
|
||
|
+ * We are not vulnerable to CVE-2017-12163
|
||
|
+ * here as we are guarenteed to have numtowrite
|
||
|
+ * bytes available - we just read from the client.
|
||
|
+ */
|
||
|
nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);
|
||
|
if (nwritten == -1) {
|
||
|
TALLOC_FREE(buf);
|
||
|
@@ -4161,6 +4169,7 @@ void reply_writeunlock(struct smb_reques
|
||
|
connection_struct *conn = req->conn;
|
||
|
ssize_t nwritten = -1;
|
||
|
size_t numtowrite;
|
||
|
+ size_t remaining;
|
||
|
SMB_OFF_T startpos;
|
||
|
const char *data;
|
||
|
NTSTATUS status = NT_STATUS_OK;
|
||
|
@@ -4193,6 +4202,17 @@ void reply_writeunlock(struct smb_reques
|
||
|
startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
|
||
|
data = (const char *)req->buf + 3;
|
||
|
|
||
|
+ /*
|
||
|
+ * Ensure client isn't asking us to write more than
|
||
|
+ * they sent. CVE-2017-12163.
|
||
|
+ */
|
||
|
+ remaining = smbreq_bufrem(req, data);
|
||
|
+ if (numtowrite > remaining) {
|
||
|
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
|
||
|
+ END_PROFILE(SMBwriteunlock);
|
||
|
+ return;
|
||
|
+ }
|
||
|
+
|
||
|
if (!fsp->print_file && numtowrite > 0) {
|
||
|
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
|
||
|
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
|
||
|
@@ -4274,6 +4294,7 @@ void reply_write(struct smb_request *req
|
||
|
{
|
||
|
connection_struct *conn = req->conn;
|
||
|
size_t numtowrite;
|
||
|
+ size_t remaining;
|
||
|
ssize_t nwritten = -1;
|
||
|
SMB_OFF_T startpos;
|
||
|
const char *data;
|
||
|
@@ -4314,6 +4335,17 @@ void reply_write(struct smb_request *req
|
||
|
startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
|
||
|
data = (const char *)req->buf + 3;
|
||
|
|
||
|
+ /*
|
||
|
+ * Ensure client isn't asking us to write more than
|
||
|
+ * they sent. CVE-2017-12163.
|
||
|
+ */
|
||
|
+ remaining = smbreq_bufrem(req, data);
|
||
|
+ if (numtowrite > remaining) {
|
||
|
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
|
||
|
+ END_PROFILE(SMBwrite);
|
||
|
+ return;
|
||
|
+ }
|
||
|
+
|
||
|
if (!fsp->print_file) {
|
||
|
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
|
||
|
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
|
||
|
@@ -4525,6 +4557,9 @@ void reply_write_and_X(struct smb_reques
|
||
|
return;
|
||
|
}
|
||
|
} else {
|
||
|
+ /*
|
||
|
+ * This already protects us against CVE-2017-12163.
|
||
|
+ */
|
||
|
if (smb_doff > smblen || smb_doff + numtowrite < numtowrite ||
|
||
|
smb_doff + numtowrite > smblen) {
|
||
|
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
|
||
|
@@ -4894,6 +4929,7 @@ void reply_writeclose(struct smb_request
|
||
|
{
|
||
|
connection_struct *conn = req->conn;
|
||
|
size_t numtowrite;
|
||
|
+ size_t remaining;
|
||
|
ssize_t nwritten = -1;
|
||
|
NTSTATUS close_status = NT_STATUS_OK;
|
||
|
SMB_OFF_T startpos;
|
||
|
@@ -4927,6 +4963,17 @@ void reply_writeclose(struct smb_request
|
||
|
mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
|
||
|
data = (const char *)req->buf + 1;
|
||
|
|
||
|
+ /*
|
||
|
+ * Ensure client isn't asking us to write more than
|
||
|
+ * they sent. CVE-2017-12163.
|
||
|
+ */
|
||
|
+ remaining = smbreq_bufrem(req, data);
|
||
|
+ if (numtowrite > remaining) {
|
||
|
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
|
||
|
+ END_PROFILE(SMBwriteclose);
|
||
|
+ return;
|
||
|
+ }
|
||
|
+
|
||
|
if (!fsp->print_file) {
|
||
|
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
|
||
|
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
|
||
|
@@ -5497,6 +5544,9 @@ void reply_printwrite(struct smb_request
|
||
|
|
||
|
numtowrite = SVAL(req->buf, 1);
|
||
|
|
||
|
+ /*
|
||
|
+ * This already protects us against CVE-2017-12163.
|
||
|
+ */
|
||
|
if (req->buflen < numtowrite + 3) {
|
||
|
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
|
||
|
END_PROFILE(SMBsplwr);
|