← Back to branch summary

~ubuntu-branches/ubuntu/maverick/samba/maverick-security

« back to all changes in this revision

Viewing changes to debian/patches/security-CVE-2009-2906.patch

  • Committer: Bazaar Package Importer
  • Author(s): Chuck Short
  • Date: 2010-01-29 06:16:15 UTC
  • mfrom: (0.27.9 upstream) (0.34.4 squeeze)
  • Revision ID: james.westby@ubuntu.com-20100129061615-37hs6xqpsdhjq3ld
Tags: 2:3.4.5~dfsg-1ubuntu1
https://launchpad.net/bugs/462169
https://launchpad.net/bugs/493565
* Merge from debian testing.  Remaining changes:
  + debian/patches/VERSION.patch:
    - set SAMBA_VERSION_SUFFIX to Ubuntu.
  + debian/smb.conf:
    - Add "(Samba, Ubuntu)" to server string.
    - Comment out the default [homes] share, and add a comment about "valid users = %s"
      to show users how to restrict access to \\server\username to only username.
    - Set 'usershare allow guests', so that usershare admins are allowed to create
      public shares in additon to authenticated ones.
    - add map to guest = Bad user, maps bad username to gues access.
  + debian/samba-common.conf:
    - Do not change priority to high if dhclient3 is installed.
    - Use priority medium instead of high for the workgroup question.
  + debian/mksambapasswd.awk:
    - Do not add user with UID less than 1000 to smbpasswd.
  + debian/control: 
    - Make libswbclient0 replace/conflict with hardy's likewise-open.
    - Don't build against ctdb, since its not in main yet.
  + debian/rules:
    - Enable "native" PIE hardening.
    - Add BIND_NOW to maximize benefit of RELRO hardening.
  + Add ufw integration:
    - Created debian/samba.ufw.profile.
    - debian/rules, debian/samba.dirs, debian/samba.files: install
  + Add apoort hook:
    - Created debian/source_samba.py.
    - debian/rules, debian/samba.dirs, debian/samba-common-bin.files: install
  + debian/rules, debian/samba.if-up: allow "NetworkManager" as a recognized address
    family... it's obviously /not/ an address family, but it's what gets
    sent when using NM, so we'll cope for now.  (LP: #462169). Taken from karmic-proposed.
  + debian/control: Recommend keyutils for smbfs (LP: #493565)
  + Dropped patches:
    - debian/patches/security-CVE-2009-3297.patch: No longer needed
    - debian/patches/fix-too-many-open-files.patch: No longer needed

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/security-CVE-2009-2906.patch
1
 
#
2
 
# Description: fix denial of service via unexpected oplock break notification reply
3
 
# Patch: http://www.samba.org/samba/ftp/patches/security/samba-3.4.1-CVE-2009-2906.patch
4
 
#
5
 
diff -Nur samba-3.4.0/source3/include/smb.h samba-3.4.0.new/source3/include/smb.h
6
 
--- samba-3.4.0/source3/include/smb.h   2009-07-03 07:21:14.000000000 -0400
7
 
+++ samba-3.4.0.new/source3/include/smb.h       2009-10-01 08:20:19.000000000 -0400
8
 
@@ -723,6 +723,7 @@
9
 
        struct timed_event *te;
10
 
        struct smb_perfcount_data pcd;
11
 
        bool encrypted;
12
 
+       bool processed;
13
 
        DATA_BLOB buf;
14
 
        DATA_BLOB private_data;
15
 
 };
16
 
diff -Nur samba-3.4.0/source3/smbd/process.c samba-3.4.0.new/source3/smbd/process.c
17
 
--- samba-3.4.0/source3/smbd/process.c  2009-07-03 07:21:14.000000000 -0400
18
 
+++ samba-3.4.0.new/source3/smbd/process.c      2009-10-01 08:20:19.000000000 -0400
19
 
@@ -411,6 +411,7 @@
20
 
        struct pending_message_list *msg = talloc_get_type(private_data,
21
 
                                           struct pending_message_list);
22
 
        TALLOC_CTX *mem_ctx = talloc_tos();
23
 
+       uint16_t mid = SVAL(msg->buf.data,smb_mid);
24
 
        uint8_t *inbuf;
25
 
 
26
 
        inbuf = (uint8_t *)talloc_memdup(mem_ctx, msg->buf.data,
27
 
@@ -423,11 +424,21 @@
28
 
        /* We leave this message on the queue so the open code can
29
 
           know this is a retry. */
30
 
        DEBUG(5,("smbd_deferred_open_timer: trigger mid %u.\n",
31
 
-               (unsigned int)SVAL(msg->buf.data,smb_mid)));
32
 
+               (unsigned int)mid));
33
 
+
34
 
+       /* Mark the message as processed so this is not
35
 
+        * re-processed in error. */
36
 
+       msg->processed = true;
37
 
 
38
 
        process_smb(smbd_server_conn, inbuf,
39
 
                    msg->buf.length, 0,
40
 
                    msg->encrypted, &msg->pcd);
41
 
+
42
 
+       /* If it's still there and was processed, remove it. */
43
 
+       msg = get_open_deferred_message(mid);
44
 
+       if (msg && msg->processed) {
45
 
+               remove_deferred_open_smb_message(mid);
46
 
+       }
47
 
 }
48
 
 
49
 
 /****************************************************************************
50
 
@@ -459,6 +470,7 @@
51
 
 
52
 
        msg->request_time = request_time;
53
 
        msg->encrypted = req->encrypted;
54
 
+       msg->processed = false;
55
 
        SMB_PERFCOUNT_DEFER_OP(&req->pcd, &msg->pcd);
56
 
 
57
 
        if (private_data) {
58
 
@@ -500,7 +512,7 @@
59
 
 
60
 
        for (pml = deferred_open_queue; pml; pml = pml->next) {
61
 
                if (mid == SVAL(pml->buf.data,smb_mid)) {
62
 
-                       DEBUG(10,("remove_sharing_violation_open_smb_message: "
63
 
+                       DEBUG(10,("remove_deferred_open_smb_message: "
64
 
                                  "deleting mid %u len %u\n",
65
 
                                  (unsigned int)mid,
66
 
                                  (unsigned int)pml->buf.length ));
67
 
@@ -530,6 +542,15 @@
68
 
                if (mid == msg_mid) {
69
 
                        struct timed_event *te;
70
 
 
71
 
+                       if (pml->processed) {
72
 
+                               /* A processed message should not be
73
 
+                                * rescheduled. */
74
 
+                               DEBUG(0,("schedule_deferred_open_smb_message: LOGIC ERROR "
75
 
+                                       "message mid %u was already processed\n",
76
 
+                                       msg_mid ));
77
 
+                               continue;
78
 
+                       }
79
 
+
80
 
                        DEBUG(10,("schedule_deferred_open_smb_message: scheduling mid %u\n",
81
 
                                mid ));
82
 
 
83
 
@@ -556,7 +577,7 @@
84
 
 }
85
 
 
86
 
 /****************************************************************************
87
 
- Return true if this mid is on the deferred queue.
88
 
+ Return true if this mid is on the deferred queue and was not yet processed.
89
 
 ****************************************************************************/
90
 
 
91
 
 bool open_was_deferred(uint16 mid)
92
 
@@ -564,7 +585,7 @@
93
 
        struct pending_message_list *pml;
94
 
 
95
 
        for (pml = deferred_open_queue; pml; pml = pml->next) {
96
 
-               if (SVAL(pml->buf.data,smb_mid) == mid) {
97
 
+               if (SVAL(pml->buf.data,smb_mid) == mid && !pml->processed) {
98
 
                        return True;
99
 
                }
100
 
        }
101
 
@@ -1299,7 +1320,6 @@
102
 
 
103
 
                if (!change_to_user(conn,session_tag)) {
104
 
                        reply_nterror(req, NT_STATUS_DOS(ERRSRV, ERRbaduid));
105
 
-                       remove_deferred_open_smb_message(req->mid);
106
 
                        return conn;
107
 
                }
108