[Pkg-samba-maint] r1643 - in branches/samba/sarge/debian: . patches

vorlon at alioth.debian.org vorlon at alioth.debian.org
Wed Nov 28 09:53:09 UTC 2007 

Author: vorlon
Date: 2007-11-28 09:53:09 +0000 (Wed, 28 Nov 2007)
New Revision: 1643

Modified:
   branches/samba/sarge/debian/changelog
   branches/samba/sarge/debian/patches/security-CVE-2007-4572_part2.patch
Log:
Fix for yet another regression in the fix for CVE-2007-4572 due to one other
missed patch in the 3.0.27a diff.  Closes: #453050.



Modified: branches/samba/sarge/debian/changelog
===================================================================
--- branches/samba/sarge/debian/changelog	2007-11-28 09:42:08 UTC (rev 1642)
+++ branches/samba/sarge/debian/changelog	2007-11-28 09:53:09 UTC (rev 1643)
@@ -1,3 +1,10 @@
+samba (3.0.14a-3sarge10) oldstable-security; urgency=low
+
+  * Fix for yet another regression in the fix for CVE-2007-4572 due to one
+    other missed patch in the 3.0.27a diff.  Closes: #453050.
+
+ -- Steve Langasek <vorlon at debian.org>  Tue, 27 Nov 2007 23:42:21 -0800
+
 samba (3.0.14a-3sarge9) oldstable-security; urgency=low
 
   * Fix for one final regression related to the fix for CVE-2007-4572,

Modified: branches/samba/sarge/debian/patches/security-CVE-2007-4572_part2.patch
===================================================================
--- branches/samba/sarge/debian/patches/security-CVE-2007-4572_part2.patch	2007-11-28 09:42:08 UTC (rev 1642)
+++ branches/samba/sarge/debian/patches/security-CVE-2007-4572_part2.patch	2007-11-28 09:53:09 UTC (rev 1643)
@@ -74,12 +74,21 @@
 ===================================================================
 --- samba-3.0.24.orig/source/smbd/trans2.c
 +++ samba-3.0.24/source/smbd/trans2.c
+@@ -809,7 +809,7 @@
+ 				 char *path_mask,int dirtype,int info_level,
+ 				 int requires_resume_key,
+ 				 BOOL dont_descend,char **ppdata, 
+-				 char *base_data, int space_remaining, 
++				 char *base_data, char *end_data, int space_remaining, 
+ 				 BOOL *out_of_space, BOOL *got_exact_match,
+ 				 int *last_entry_off)
+ {
 @@ -985,7 +985,7 @@
  			p += l1_achName;
  			nameptr = p;
  			p += align_string(outbuf, p, 0);
 -			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE);
-+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE);
++			len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE);
  			if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) {
  				if (len > 2) {
  					SCVAL(nameptr, -1, len - 2);
@@ -88,7 +97,7 @@
  			p += l2_achName;
  			nameptr = p - 1;
 -			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE | STR_NOALIGN);
-+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE | STR_NOALIGN);
++			len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE | STR_NOALIGN);
  			if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) {
  				if (len > 2) {
  					len -= 2;
@@ -97,7 +106,7 @@
  			}
  			p += 2 + 24;
 -			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
-+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
++			len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE_ASCII);
  			SIVAL(q,0,len);
  			p += len;
  			len = PTR_DIFF(p, pdata);
@@ -106,7 +115,7 @@
  			SOFF_T(p,0,allocation_size); p += 8;
  			SIVAL(p,0,nt_extmode); p += 4;
 -			len = srvstr_push(outbuf, p + 4, fname, -1, STR_TERMINATE_ASCII);
-+			len = srvstr_push(outbuf, p + 4, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
++			len = srvstr_push(outbuf, p + 4, fname, PTR_DIFF(end_data, p+4), STR_TERMINATE_ASCII);
  			SIVAL(p,0,len);
  			p += 4 + len;
  			len = PTR_DIFF(p, pdata);
@@ -115,7 +124,7 @@
  				p +=4;
  			}
 -			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
-+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
++			len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE_ASCII);
  			SIVAL(q, 0, len);
  			p += len;
  
@@ -124,7 +133,7 @@
  			/* this must *not* be null terminated or w2k gets in a loop trying to set an
  			   acl on a dir (tridge) */
 -			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
-+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
++			len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE_ASCII);
  			SIVAL(p, -4, len);
  			p += len;
  			len = PTR_DIFF(p, pdata);
@@ -133,7 +142,7 @@
  			SIVAL(p,0,sbuf.st_dev); p += 4;
  			SIVAL(p,0,sbuf.st_ino); p += 4;
 -			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
-+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
++			len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE_ASCII);
  			SIVAL(q, 0, len);
  			p += len; 
  			len = PTR_DIFF(p, pdata);
@@ -142,7 +151,7 @@
  			SIVAL(p,0,sbuf.st_dev); p += 4;
  			SIVAL(p,0,sbuf.st_ino); p += 4;
 -			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
-+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
++			len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE_ASCII);
  			SIVAL(q,0,len);
  			p += len;
  			len = PTR_DIFF(p, pdata);
@@ -151,10 +160,60 @@
  			p+= 8;
  
 -			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE);
-+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE);
++			len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE);
  			p += len;
  
  			len = PTR_DIFF(p, pdata);
+@@ -1318,6 +1318,7 @@
+ 		requested. */
+ 	char *params = *pparams;
+ 	char *pdata = *ppdata;
++	char *data_end;
+ 	int dirtype = SVAL(params,0);
+ 	int maxentries = SVAL(params,2);
+ 	uint16 findfirst_flags = SVAL(params,4);
+@@ -1409,6 +1410,7 @@
+ 
+ 	*ppdata = pdata;
+ 	memset((char *)pdata,'\0',max_data_bytes + DIR_ENTRY_SAFETY_MARGIN);
++	data_end = pdata + max_data_bytes + DIR_ENTRY_SAFETY_MARGIN - 1;
+ 
+ 	/* Realloc the params space */
+ 	params = SMB_REALLOC(*pparams, 10);
+@@ -1454,7 +1456,7 @@
+ 					inbuf, outbuf,
+ 					mask,dirtype,info_level,
+ 					requires_resume_key,dont_descend,
+-					&p,pdata,space_remaining, &out_of_space, &got_exact_match,
++					&p,pdata,data_end,space_remaining, &out_of_space, &got_exact_match,
+ 					&last_entry_off);
+ 		}
+ 
+@@ -1546,6 +1548,7 @@
+ 		requested. */
+ 	char *params = *pparams;
+ 	char *pdata = *ppdata;
++	char *data_end;
+ 	int dptr_num = SVAL(params,0);
+ 	int maxentries = SVAL(params,2);
+ 	uint16 info_level = SVAL(params,4);
+@@ -1621,6 +1624,7 @@
+ 
+ 	*ppdata = pdata;
+ 	memset((char *)pdata,'\0',max_data_bytes + DIR_ENTRY_SAFETY_MARGIN);
++	data_end = pdata + max_data_bytes + DIR_ENTRY_SAFETY_MARGIN - 1;
+ 
+ 	/* Realloc the params space */
+ 	params = SMB_REALLOC(*pparams, 6*SIZEOFWORD);
+@@ -1707,7 +1711,7 @@
+ 						inbuf, outbuf,
+ 						mask,dirtype,info_level,
+ 						requires_resume_key,dont_descend,
+-						&p,pdata,space_remaining, &out_of_space, &got_exact_match,
++						&p,pdata,data_end,space_remaining, &out_of_space, &got_exact_match,
+ 						&last_entry_off);
+ 		}
+ 
 @@ -1830,7 +1830,7 @@
  			 * the called hostname and the service name.
  			 */

More information about the Pkg-samba-maint mailing list