The branch, v4-1-stable has been updated via 3872776 VERSION: Disable git snapshot for the 4.1.9 release. via 9842dc8 WHATSNEW: Add release notes for Samba 4.1.9. via a88baed s3: smbd - fix processing of packets with invalid DOS charset conversions. via a04875b s3: nmbd: Fix bug 10633 - nmbd denial of service via 33f37c5 VERSION: Bump version number up to 4.1.9... from b02db8d VERSION: Disable git snapshots for the 4.1.8 release.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-1-stable - Log ----------------------------------------------------------------- commit 38727766b533b4741c97c42989365d95d37574da Author: Karolin Seeger <ksee...@samba.org> Date: Sun Jun 22 16:42:41 2014 +0200 VERSION: Disable git snapshot for the 4.1.9 release. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10633 CVE-2014-0244: nmbd denial of service Bug: https://bugzilla.samba.org/show_bug.cgi?id=10654 CVE-2014-3493: Segmentation fault in smbd_marshall_dir_entry()'s SMB_FIND_FILE_UNIX handler because push_ascii() has returned(uint32_t)-1 via srvstr_push(), incrementing p by 4GB Signed-off-by: Karolin Seeger <ksee...@samba.org> commit 9842dc834299e4e487369dd3917c91c9ba91fde6 Author: Karolin Seeger <ksee...@samba.org> Date: Sun Jun 22 16:39:29 2014 +0200 WHATSNEW: Add release notes for Samba 4.1.9. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10633 CVE-2014-0244: nmbd denial of service Bug: https://bugzilla.samba.org/show_bug.cgi?id=10654 CVE-2014-3493: Segmentation fault in smbd_marshall_dir_entry()'s SMB_FIND_FILE_UNIX handler because push_ascii() has returned(uint32_t)-1 via srvstr_push(), incrementing p by 4GB Signed-off-by: Karolin Seeger <ksee...@samba.org> commit a88baed8dd64c3f77ee5070029d305489ad63743 Author: Jeremy Allison <j...@samba.org> Date: Sat Jun 7 21:51:44 2014 -0700 s3: smbd - fix processing of packets with invalid DOS charset conversions. Bug 10654 - Segmentation fault in smbd_marshall_dir_entry()'s SMB_FIND_FILE_UNIX handler https://bugzilla.samba.org/show_bug.cgi?id=10654 Signed-off-by: Jeremy Allison <j...@samba.org> CVE-2014-3493 commit a04875b61021b20dced1b122db32d8c7aa5bc747 Author: Jeremy Allison <j...@samba.org> Date: Wed May 28 10:40:27 2014 -0700 s3: nmbd: Fix bug 10633 - nmbd denial of service The Linux kernel has a bug in that it can give spurious wakeups on a non-blocking UDP socket for a non-deliverable packet. When nmbd was changed to use non-blocking sockets it became vulnerable to a spurious wakeup from poll/epoll. Fix sys_recvfile() to return on EWOULDBLOCK/EAGAIN. CVE-2014-0244 Signed-off-by: Jeremy Allison <j...@samba.org> commit 33f37c5bad8aa21c41a1511eb7eb65537b230b85 Author: Karolin Seeger <ksee...@samba.org> Date: Sun Jun 22 16:25:26 2014 +0200 VERSION: Bump version number up to 4.1.9... and re-enable git snapshots. Signed-off-by: Karolin Seeger <ksee...@samba.org> ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 61 +++++++++++++++++++++++++++++++++++++++++++++- source3/lib/charcnv.c | 26 +++++++++++++------- source3/lib/system.c | 7 +---- source3/libsmb/clirap.c | 4 +- source3/smbd/lanman.c | 4 +- 6 files changed, 83 insertions(+), 21 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 7d071c9..6783ea5 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=1 -SAMBA_VERSION_RELEASE=8 +SAMBA_VERSION_RELEASE=9 ######################################################## # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index fc93ef5..7ae1ce9 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,61 @@ ============================= + Release Notes for Samba 4.1.9 + June 23, 2014 + ============================= + + +This is a security release in order to address +CVE-2014-0244 (Denial of service - CPU loop) and +CVE-2014-3493 (Denial of service - Server crash/memory corruption). + +o CVE-2014-0244: + All current released versions of Samba are vulnerable to a denial of + service on the nmbd NetBIOS name services daemon. A malformed packet + can cause the nmbd server to loop the CPU and prevent any further + NetBIOS name service. + + This flaw is not exploitable beyond causing the code to loop expending + CPU resources. + +o CVE-2014-3493: + All current released versions of Samba are affected by a denial of service + crash involving overwriting memory on an authenticated connection to the + smbd file server. + + +Changes since 4.1.8: +-------------------- + +o Jeremy Allison <j...@samba.org> + * BUG 10633: CVE-2014-0244: Fix nmbd denial of service. + * BUG 10654: CVE-2014-3493: Fix segmentation fault in + smbd_marshall_dir_entry()'s SMB_FIND_FILE_UNIX handler. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- + + ============================= Release Notes for Samba 4.1.8 June 3, 2014 ============================= @@ -112,8 +169,8 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- + ============================= Release Notes for Samba 4.1.7 diff --git a/source3/lib/charcnv.c b/source3/lib/charcnv.c index 71d2c3a..2189812 100644 --- a/source3/lib/charcnv.c +++ b/source3/lib/charcnv.c @@ -46,9 +46,9 @@ void gfree_charcnv(void) **/ size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags) { - size_t src_len = strlen(src); + size_t src_len = 0; char *tmpbuf = NULL; - size_t size; + size_t size = 0; bool ret; /* No longer allow a length of -1. */ @@ -62,24 +62,32 @@ size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags) smb_panic("malloc fail"); } if (!strupper_m(tmpbuf)) { + if ((flags & (STR_TERMINATE|STR_TERMINATE_ASCII)) && + dest && + dest_len > 0) { + *(char *)dest = 0; + } SAFE_FREE(tmpbuf); - return (size_t)-1; + return 0; } src = tmpbuf; } + src_len = strlen(src); if (flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) { src_len++; } ret = convert_string(CH_UNIX, CH_DOS, src, src_len, dest, dest_len, &size); - if (ret == false && - (flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) - && dest_len > 0) { - ((char *)dest)[0] = '\0'; - } SAFE_FREE(tmpbuf); - return ret ? size : (size_t)-1; + if (ret == false) { + if ((flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) && + dest_len > 0) { + ((char *)dest)[0] = '\0'; + } + return 0; + } + return size; } /******************************************************************** diff --git a/source3/lib/system.c b/source3/lib/system.c index 8252e4f..4f38597 100644 --- a/source3/lib/system.c +++ b/source3/lib/system.c @@ -169,6 +169,7 @@ ssize_t sys_send(int s, const void *msg, size_t len, int flags) /******************************************************************* A recvfrom wrapper that will deal with EINTR. +NB. As used with non-blocking sockets, return on EAGAIN/EWOULDBLOCK ********************************************************************/ ssize_t sys_recvfrom(int s, void *buf, size_t len, int flags, struct sockaddr *from, socklen_t *fromlen) @@ -177,11 +178,7 @@ ssize_t sys_recvfrom(int s, void *buf, size_t len, int flags, struct sockaddr *f do { ret = recvfrom(s, buf, len, flags, from, fromlen); -#if defined(EWOULDBLOCK) - } while (ret == -1 && (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK)); -#else - } while (ret == -1 && (errno == EINTR || errno == EAGAIN)); -#endif + } while (ret == -1 && (errno == EINTR)); return ret; } diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c index 036919f..64e3767 100644 --- a/source3/libsmb/clirap.c +++ b/source3/libsmb/clirap.c @@ -327,7 +327,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype, sizeof(param) - PTR_DIFF(p,param) - 1, STR_TERMINATE|STR_UPPER); - if (len == (size_t)-1) { + if (len == 0) { SAFE_FREE(last_entry); return false; } @@ -339,7 +339,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype, sizeof(param) - PTR_DIFF(p,param) - 1, STR_TERMINATE); - if (len == (size_t)-1) { + if (len == 0) { SAFE_FREE(last_entry); return false; } diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c index 1b734a7..0a0ab6b 100644 --- a/source3/smbd/lanman.c +++ b/source3/smbd/lanman.c @@ -128,7 +128,7 @@ static int CopyExpanded(connection_struct *conn, return 0; } l = push_ascii(*dst,buf,*p_space_remaining, STR_TERMINATE); - if (l == -1) { + if (l == 0) { return 0; } (*dst) += l; @@ -143,7 +143,7 @@ static int CopyAndAdvance(char **dst, char *src, int *n) return 0; } l = push_ascii(*dst,src,*n, STR_TERMINATE); - if (l == -1) { + if (l == 0) { return 0; } (*dst) += l; -- Samba Shared Repository