Backport fixes to samba from 3.6.24, from Ian McWilliam (maintainer)

CVE-2014-0244: malformed packet can nmbd to loop, preventing further NetBIOS name service CVE-2014-3493: smbd "crash involving overwriting memory on an authenticated connection" (just classed as a DoS in release notes, but that may be optimistic)
2014-06-26 11:43:54 +00:00 · 2014-06-26 11:43:54 +00:00 · 20b5a675ba
commit 20b5a675ba
parent a79f051644
5 changed files with 112 additions and 5 deletions
--- a/net/samba/Makefile
+++ b/net/samba/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.192 2014/04/21 22:24:17 sthen Exp $
+# $OpenBSD: Makefile,v 1.193 2014/06/26 11:43:54 sthen Exp $

 SHARED_ONLY=		Yes

@ -9,7 +9,7 @@ DISTNAME=		samba-3.6.15
 PKGNAME-main=		${DISTNAME}
 FULLPKGNAME-docs=	${DISTNAME:S/-/-docs-/}
 FULLPKGPATH-docs=	net/samba,-docs
-REVISION-main=		6
+REVISION-main=		7

 SHARED_LIBS=		smbclient	3.0 \
 			smbsharemodes	1.0 \
--- a/net/samba/patches/patch-source3_lib_charcnv_c
+++ b/net/samba/patches/patch-source3_lib_charcnv_c
@ -0,0 +1,42 @@
+$OpenBSD: patch-source3_lib_charcnv_c,v 1.1 2014/06/26 11:43:54 sthen Exp $
+
+- CVE-2014-0244 (Denial of service - CPU loop)
+- CVE-2014-3493 (Denial of service - Server crash/memory corruption)
+
+--- source3/lib/charcnv.c.orig	Wed Jun 25 14:53:54 2014
+++ source3/lib/charcnv.c	Wed Jun 25 14:56:56 2014
+@@ -822,7 +822,7 @@ size_t ucs2_align(const void *base_ptr, const void *p,
+  **/
+ size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags)
+ {
+-	size_t src_len = strlen(src);
+	size_t src_len = 0;
+ 	char *tmpbuf = NULL;
+ 	size_t ret;
+ 
+@@ -840,17 +840,21 @@ size_t push_ascii(void *dest, const char *src, size_t 
+ 		src = tmpbuf;
+ 	}
+ 
+	src_len = strlen(src);
+ 	if (flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) {
+ 		src_len++;
+ 	}
+ 
+ 	ret = convert_string(CH_UNIX, CH_DOS, src, src_len, dest, dest_len, True);
+-	if (ret == (size_t)-1 &&
+-			(flags & (STR_TERMINATE | STR_TERMINATE_ASCII))
+
+	SAFE_FREE(tmpbuf);
+	if (ret == (size_t)-1) {
+		if ((flags & (STR_TERMINATE | STR_TERMINATE_ASCII))
+ 			&& dest_len > 0) {
+-		((char *)dest)[0] = '\0';
+			((char *)dest)[0] = '\0';
+		}
+		return 0;
+ 	}
+-	SAFE_FREE(tmpbuf);
+ 	return ret;
+ }
+ 
--- a/net/samba/patches/patch-source3_lib_system_c
+++ b/net/samba/patches/patch-source3_lib_system_c
@ -0,0 +1,20 @@
+$OpenBSD: patch-source3_lib_system_c,v 1.1 2014/06/26 11:43:54 sthen Exp $
+
+- CVE-2014-0244 (Denial of service - CPU loop)
+- CVE-2014-3493 (Denial of service - Server crash/memory corruption).
+
+--- source3/lib/system.c.orig	Wed May  8 18:16:26 2013
+++ source3/lib/system.c	Wed Jun 25 15:06:22 2014
+@@ -286,11 +286,7 @@ ssize_t sys_recvfrom(int s, void *buf, size_t len, int
+ 
+ 	do {
+ 		ret = recvfrom(s, buf, len, flags, from, fromlen);
+-#if defined(EWOULDBLOCK)
+-	} while (ret == -1 && (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK));
+-#else
+-	} while (ret == -1 && (errno == EINTR || errno == EAGAIN));
+-#endif
+	} while (ret == -1 && (errno == EINTR));
+ 	return ret;
+ }
+ 
--- a/net/samba/patches/patch-source3_libsmb_clirap_c
+++ b/net/samba/patches/patch-source3_libsmb_clirap_c
@ -0,0 +1,25 @@
+$OpenBSD: patch-source3_libsmb_clirap_c,v 1.1 2014/06/26 11:43:54 sthen Exp $
+
+- CVE-2014-0244 (Denial of service - CPU loop)
+- CVE-2014-3493 (Denial of service - Server crash/memory corruption).
+
+--- source3/libsmb/clirap.c.orig	Wed Jun 25 14:57:41 2014
+++ source3/libsmb/clirap.c	Wed Jun 25 14:59:58 2014
+@@ -319,7 +319,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *wo
+ 				sizeof(param) - PTR_DIFF(p,param) - 1,
+ 				STR_TERMINATE|STR_UPPER);
+ 
+-		if (len == (size_t)-1) {
+		if (len == 0) {
+ 			SAFE_FREE(last_entry);
+ 			return false;
+ 		}
+@@ -331,7 +331,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *wo
+ 					sizeof(param) - PTR_DIFF(p,param) - 1,
+ 					STR_TERMINATE);
+ 
+-			if (len == (size_t)-1) {
+			if (len == 0) {
+ 				SAFE_FREE(last_entry);
+ 				return false;
+ 			}
--- a/net/samba/patches/patch-source3_smbd_lanman_c
+++ b/net/samba/patches/patch-source3_smbd_lanman_c
@ -1,12 +1,32 @@
-$OpenBSD: patch-source3_smbd_lanman_c,v 1.2 2014/04/10 00:50:58 brad Exp $
+$OpenBSD: patch-source3_smbd_lanman_c,v 1.3 2014/06/26 11:43:54 sthen Exp $

 - DCE-RPC fragment length field is incorrectly checked.
  CVE-2013-4408
 - Password lockout not enforced for SAMR password changes.
  CVE-2013-4496
+- CVE-2014-0244 (Denial of service - CPU loop)
+- CVE-2014-3493 (Denial of service - Server crash/memory corruption).

--- source3/smbd/lanman.c.orig	Wed Apr  9 17:30:14 2014
-+++ source3/smbd/lanman.c	Wed Apr  9 17:29:56 2014
+--- source3/smbd/lanman.c.orig	Wed May  8 18:16:26 2013
+++ source3/smbd/lanman.c	Wed Jun 25 15:01:30 2014
+@@ -128,7 +128,7 @@ static int CopyExpanded(connection_struct *conn,
+ 		return 0;
+ 	}
+ 	l = push_ascii(*dst,buf,*p_space_remaining, STR_TERMINATE);
+-	if (l == -1) {
+	if (l == 0) {
+ 		return 0;
+ 	}
+ 	(*dst) += l;
+@@ -143,7 +143,7 @@ static int CopyAndAdvance(char **dst, char *src, int *
+ 		return 0;
+ 	}
+ 	l = push_ascii(*dst,src,*n, STR_TERMINATE);
+-	if (l == -1) {
+	if (l == 0) {
+ 		return 0;
+ 	}
+ 	(*dst) += l;
@@ -2628,6 +2628,14 @@ static bool api_NetUserGetGroups(struct smbd_server_co
 			  nt_errstr(result)));
 		goto close_domain;