Bug#311298: marked as done (samba: Memory leak in security patch for DSA-701-2)

[Debian Bug Tracking System]

Your message dated Mon, 23 Jan 2006 01:24:57 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Bug#311298: samba: Memory leak in security patch for DSA-701-2
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 30 May 2005 20:16:22 +0000
>From [EMAIL PROTECTED] Mon May 30 13:16:22 2005
Return-path: <[EMAIL PROTECTED]>
Received: from smtp103.rog.mail.re2.yahoo.com [206.190.36.81] 
        by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
        id 1DcqgP-00008D-00; Mon, 30 May 2005 13:16:21 -0700
Received: from unknown (HELO alps.law.yi.org) ([EMAIL PROTECTED] with login)
  by smtp103.rog.mail.re2.yahoo.com with SMTP; 30 May 2005 20:15:50 -0000
Received: from sfllaw by alps.law.yi.org with local (Exim 3.35 #1 (Debian))
        id 1Dcqfs-0005wf-00; Mon, 30 May 2005 16:15:48 -0400
Date: Mon, 30 May 2005 16:15:48 -0400
From: Simon Law <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: samba: Memory leak in security patch for DSA-701-2
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Reportbug-Version: 1.50
User-Agent: Mutt/1.5.6+20040907i
Sender: Simon Law <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: samba
Version: 2.2.3a-15
Severity: normal

In the security patch called z_CAN-2004-1154.patch:

@@ -1121,11 +1139,19 @@ static int get_dir(file_info2 finfo)
 */
 static char * get_longfilename(file_info2 finfo)
 {
-  int namesize = finfo.size + strlen(cur_dir) + 2;
+  size_t namesize = finfo.size + strlen(cur_dir) + 2;
   char *longname = malloc(namesize);
   int offset = 0, left = finfo.size;
   BOOL first = True;

+  if(finfo.size >= (UINT_MAX - strlen(cur_dir) - 2))
+  {
+    DEBUG(0,("get_longfilename: integer overflow detected.\n"));
+    return(NULL);
+  }
+  namesize = finfo.size + strlen(cur_dir) + 2;
+  longname = malloc(namesize);
+
   DEBUG(5, ("Restoring a long file name: %s\n", finfo.name));
   DEBUG(5, ("Len = %d\n", (int)finfo.size));

As you can see, we're malloc()ing and then throwing that result away.
This is a memory leak.  It's not a security problem, but the security
patch did cause this bug.


-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux alps 2.4.18-1-686 #1 Wed Apr 14 18:20:10 UTC 2004 i686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8

Versions of packages samba depends on:
ii  debconf                  1.2.35          Debian configuration management sy
ii  libc6                    2.3.2.ds1-21    GNU C Library: Shared libraries an
ii  libcupsys2               1.1.14-5woody12 Common UNIX Printing System(tm) - 
ii  libpam0g                 0.72-35         Pluggable Authentication Modules l
ii  logrotate                3.5.9-8         Log rotation utility
ii  netbase                  4.07            Basic TCP/IP networking system
ii  samba-common             2.2.3a-15       Samba common files used by both th

---------------------------------------
Received: (at 311298-done) by bugs.debian.org; 23 Jan 2006 00:29:08 +0000
>From [EMAIL PROTECTED] Sun Jan 22 16:29:07 2006
Return-path: <[EMAIL PROTECTED]>
Received: from mail.gmx.de ([213.165.64.21] helo=mail.gmx.net)
        by spohr.debian.org with smtp (Exim 4.50)
        id 1F0pZz-0004lJ-P5
        for [EMAIL PROTECTED]; Sun, 22 Jan 2006 16:29:07 -0800
Received: (qmail invoked by alias); 23 Jan 2006 00:25:00 -0000
Received: from dslb-084-063-024-209.pools.arcor-ip.net (EHLO colt.pezone.net) 
[84.63.24.209]
  by mail.gmx.net (mp038) with SMTP; 23 Jan 2006 01:25:00 +0100
X-Authenticated: #495269
From: Peter Eisentraut <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: Bug#311298: samba: Memory leak in security patch for DSA-701-2
Date: Mon, 23 Jan 2006 01:24:57 +0100
User-Agent: KMail/1.8.3
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <[EMAIL PROTECTED]>
X-Y-GMX-Trusted: 0
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02

Version: 3.0.10-1

This code has been redone in newer versions.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]