On 2012/01/31 23:34, Nigel Taylor wrote: > On 01/31/12 07:24, Ian McWilliam wrote: > > Fo those in need of a samba fix. > > > > http://www.samba.org/samba/security/CVE-2012-0817 > > > > The Samba smbd daemon that listens for incoming connections leaks > > a small amount of memory on every connection attempt. Although this > > is a small leak, it happens on every connection even without successful > > authentication. Thus an attacker can simply loop making connection > > requests and cause the listening daemon to ever increase in size. > > > > Eventually the server process will grow enough to either cause memory > > allocations in other processes to fail, or be killed by the system > > as part of its out of memory protection. Either way, denial of service > > would be achieved. > > > > http://www.samba.org/samba/history/samba-3.6.3.html > > > > CVE-2012-0817: > > The Samba File Serving daemon (smbd) in Samba versions > > 3.6.0 to 3.6.2 is affected by a memory leak that can > > cause a server denial of service. > > > > Ian McWilliam > > > > > > > > > > > Hi, > > Built on i386 and amd64. Tests work for the limited setup I have here. > > Nigel >
For reference here's the diff against -current for this. Index: Makefile =================================================================== RCS file: /cvs/ports/net/samba/Makefile,v retrieving revision 1.154 diff -u -p -r1.154 Makefile --- Makefile 31 Jan 2012 09:12:58 -0000 1.154 +++ Makefile 31 Jan 2012 23:52:41 -0000 @@ -5,8 +5,7 @@ SHARED_ONLY= Yes COMMENT-main= SMB and CIFS client and server for UNIX COMMENT-docs= additional documentation and examples for Samba -DISTNAME= samba-3.6.1 -REVISION-main= 1 +DISTNAME= samba-3.6.3 PKGNAME-main= ${DISTNAME} FULLPKGNAME-docs= ${DISTNAME:S/-/-docs-/} FULLPKGPATH-docs= net/samba,-docs Index: distinfo =================================================================== RCS file: /cvs/ports/net/samba/distinfo,v retrieving revision 1.28 diff -u -p -r1.28 distinfo --- distinfo 21 Oct 2011 20:10:51 -0000 1.28 +++ distinfo 31 Jan 2012 23:52:41 -0000 @@ -1,5 +1,5 @@ -MD5 (samba-3.6.1.tar.gz) = UpFxe+BzTgfcB7YRDhYuhw== -RMD160 (samba-3.6.1.tar.gz) = btROZrIs7wAWiDH6ftE1cf1eRe0= -SHA1 (samba-3.6.1.tar.gz) = /tgv2SlY8yCe2zxxMh1LSKvunEs= -SHA256 (samba-3.6.1.tar.gz) = xbDyqwL+LGQbHOUqFBwo8bP7wJOtqKYu7KcMJeFb1WQ= -SIZE (samba-3.6.1.tar.gz) = 28984820 +MD5 (samba-3.6.3.tar.gz) = mKydufS26/w/ATqhk/+w0Q== +RMD160 (samba-3.6.3.tar.gz) = /QT9WJfw808lfFBN6RHhqzT/PiU= +SHA1 (samba-3.6.3.tar.gz) = QwoeE/4gwX4oCANchj6153aFyJs= +SHA256 (samba-3.6.3.tar.gz) = Z+JAny1eTVy5R8lfWDSYEFA4hXuEzHPAjazU4svGYHQ= +SIZE (samba-3.6.3.tar.gz) = 28993737 Index: patches/patch-Makefile_in =================================================================== RCS file: /cvs/ports/net/samba/patches/patch-Makefile_in,v retrieving revision 1.17 diff -u -p -r1.17 patch-Makefile_in --- patches/patch-Makefile_in 26 Sep 2011 09:32:12 -0000 1.17 +++ patches/patch-Makefile_in 31 Jan 2012 23:52:41 -0000 @@ -1,11 +1,11 @@ $OpenBSD: patch-Makefile_in,v 1.17 2011/09/26 09:32:12 sthen Exp $ ---- Makefile.in.orig Tue Aug 9 13:17:47 2011 -+++ Makefile.in Mon Sep 12 17:40:48 2011 +--- Makefile.in.orig Thu Jan 26 05:26:48 2012 ++++ Makefile.in Thu Jan 26 08:46:44 2012 @@ -28,7 +28,7 @@ SHLD=@SHLD@ LIB_PATH_VAR=@LIB_PATH_VAR@ ## Dynamic shared libraries build settings --DSO_EXPORTS_CMD=-Wl,--version-script,$(srcdir)/exports/`basename $@ | sed 's/@SHLIBEXT@\(.[0-9]\{1,\}\)\{0,1\}$$/@SYMSEXT@/'` +-DSO_EXPORTS_CMD=-Wl,--version-script,$(srcdir)/exports/`basename $@ | sed 's:\.@SHLIBEXT@[\.0-9]*$$:.@SYMSEXT@:'` +DSO_EXPORTS_CMD=-Wl,--version-script,$(srcdir)/exports/`basename $@ | sed 's/@SHLIBEXT@\(.[0-9]\{1,\}\)\{0,1\}\(.[0-9]\{1,\}\)\{0,1\}$$/@SYMSEXT@/'` DSO_EXPORTS=@DSO_EXPORTS@ SHLD_DSO = $(SHLD) $(LDSHFLAGS) $(DSO_EXPORTS) -o $@ Index: patches/patch-lib_substitute_c =================================================================== RCS file: patches/patch-lib_substitute_c diff -N patches/patch-lib_substitute_c --- patches/patch-lib_substitute_c 31 Jan 2012 09:12:59 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,36 +0,0 @@ -$OpenBSD: patch-lib_substitute_c,v 1.1 2012/01/31 09:12:59 sthen Exp $ - -http://ftp.samba.org/pub/samba/patches/security/samba-3.6.2-CVE-2012-0817.patch - ---- lib/substitute.c.orig Tue Oct 18 19:48:48 2011 -+++ lib/substitute.c Tue Jan 31 08:45:43 2012 -@@ -195,7 +195,7 @@ void sub_set_smb_name(const char *name) - } - - static char sub_peeraddr[INET6_ADDRSTRLEN]; --static const char *sub_peername = ""; -+static const char *sub_peername = NULL; - static char sub_sockaddr[INET6_ADDRSTRLEN]; - - void sub_set_socket_ids(const char *peeraddr, const char *peername, -@@ -208,6 +208,11 @@ void sub_set_socket_ids(const char *peeraddr, const ch - } - strlcpy(sub_peeraddr, addr, sizeof(sub_peeraddr)); - -+ if (sub_peername != NULL && -+ sub_peername != sub_peeraddr) { -+ free(discard_const_p(char,sub_peername)); -+ sub_peername = NULL; -+ } - sub_peername = SMB_STRDUP(peername); - if (sub_peername == NULL) { - sub_peername = sub_peeraddr; -@@ -646,7 +651,7 @@ static char *alloc_sub_basic(const char *smb_name, con - break; - case 'M' : - a_string = realloc_string_sub(a_string, "%M", -- sub_peername); -+ sub_peername ? sub_peername : ""); - break; - case 'R' : - a_string = realloc_string_sub(a_string, "%R", remote_proto); Index: patches/patch-smbd_server_c =================================================================== RCS file: patches/patch-smbd_server_c diff -N patches/patch-smbd_server_c --- patches/patch-smbd_server_c 31 Jan 2012 09:12:59 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,19 +0,0 @@ -$OpenBSD: patch-smbd_server_c,v 1.1 2012/01/31 09:12:59 sthen Exp $ - -http://ftp.samba.org/pub/samba/patches/security/samba-3.6.2-CVE-2012-0817.patch - ---- smbd/server.c.orig Tue Oct 18 19:48:48 2011 -+++ smbd/server.c Tue Jan 31 08:45:43 2012 -@@ -64,6 +64,12 @@ static void smbd_set_server_fd(int fd) - * name, default to its address. - */ - -+ if (sconn->client_id.name != NULL && -+ sconn->client_id.name != sconn->client_id.addr) { -+ talloc_free(discard_const_p(char, sconn->client_id.name)); -+ sconn->client_id.name = NULL; -+ } -+ - client_addr(fd, sconn->client_id.addr, sizeof(sconn->client_id.addr)); - - name = client_name(sconn->sock);