1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
$NetBSD: patch-ee,v 1.2 2012/03/13 13:23:18 taca Exp $
Patch to fix CVE-2010-2063 and CVE-2012-0870.
--- smbd/process.c.orig 2009-09-30 12:21:56.000000000 +0000
+++ smbd/process.c
@@ -1159,8 +1159,9 @@ int chain_reply(char *inbuf,char *outbuf
{
static char *orig_inbuf;
static char *orig_outbuf;
+ static int orig_size;
int smb_com1, smb_com2 = CVAL(inbuf,smb_vwv0);
- unsigned smb_off2 = SVAL(inbuf,smb_vwv1);
+ static unsigned smb_off2;
char *inbuf2, *outbuf2;
int outsize2;
int new_size;
@@ -1178,6 +1179,21 @@ int chain_reply(char *inbuf,char *outbuf
/* this is the first part of the chain */
orig_inbuf = inbuf;
orig_outbuf = outbuf;
+ orig_size = size;
+ smb_off2 = 0;
+ }
+
+ if (SVAL(inbuf,smb_vwv1) <= smb_off2) {
+ DEBUG(1, ("AndX offset not increasing\n"));
+ SCVAL(outbuf, smb_vwv0, 0xFF);
+ return;
+ }
+ smb_off2 = SVAL(inbuf, smb_vwv1);
+
+ /* Validate smb_off2 */
+ if ((smb_off2 < smb_wct - 4) || orig_size < (smb_off2 + 4 - smb_wct)) {
+ exit_server_cleanly("Bad chained packet");
+ return -1;
}
/*
@@ -1192,6 +1208,11 @@ int chain_reply(char *inbuf,char *outbuf
SSVAL(outbuf,smb_vwv1,smb_offset(outbuf+outsize,outbuf));
SCVAL(outbuf,smb_vwv0,smb_com2);
+ if (outsize <= smb_wct) {
+ exit_server_cleanly("Bad chained packet");
+ return -1;
+ }
+
/* remember how much the caller added to the chain, only counting stuff
after the parameter words */
chain_size += outsize - smb_wct;
|
