2
# Description: fix denial of service via unexpected oplock break notification reply
3
# Patch: http://www.samba.org/samba/ftp/patches/security/samba-3.4.1-CVE-2009-2906.patch
5
diff -Nur samba-3.4.0/source3/include/smb.h samba-3.4.0.new/source3/include/smb.h
6
--- samba-3.4.0/source3/include/smb.h 2009-07-03 07:21:14.000000000 -0400
7
+++ samba-3.4.0.new/source3/include/smb.h 2009-10-01 08:20:19.000000000 -0400
9
struct timed_event *te;
10
struct smb_perfcount_data pcd;
14
DATA_BLOB private_data;
16
diff -Nur samba-3.4.0/source3/smbd/process.c samba-3.4.0.new/source3/smbd/process.c
17
--- samba-3.4.0/source3/smbd/process.c 2009-07-03 07:21:14.000000000 -0400
18
+++ samba-3.4.0.new/source3/smbd/process.c 2009-10-01 08:20:19.000000000 -0400
20
struct pending_message_list *msg = talloc_get_type(private_data,
21
struct pending_message_list);
22
TALLOC_CTX *mem_ctx = talloc_tos();
23
+ uint16_t mid = SVAL(msg->buf.data,smb_mid);
26
inbuf = (uint8_t *)talloc_memdup(mem_ctx, msg->buf.data,
28
/* We leave this message on the queue so the open code can
29
know this is a retry. */
30
DEBUG(5,("smbd_deferred_open_timer: trigger mid %u.\n",
31
- (unsigned int)SVAL(msg->buf.data,smb_mid)));
32
+ (unsigned int)mid));
34
+ /* Mark the message as processed so this is not
35
+ * re-processed in error. */
36
+ msg->processed = true;
38
process_smb(smbd_server_conn, inbuf,
40
msg->encrypted, &msg->pcd);
42
+ /* If it's still there and was processed, remove it. */
43
+ msg = get_open_deferred_message(mid);
44
+ if (msg && msg->processed) {
45
+ remove_deferred_open_smb_message(mid);
49
/****************************************************************************
52
msg->request_time = request_time;
53
msg->encrypted = req->encrypted;
54
+ msg->processed = false;
55
SMB_PERFCOUNT_DEFER_OP(&req->pcd, &msg->pcd);
60
for (pml = deferred_open_queue; pml; pml = pml->next) {
61
if (mid == SVAL(pml->buf.data,smb_mid)) {
62
- DEBUG(10,("remove_sharing_violation_open_smb_message: "
63
+ DEBUG(10,("remove_deferred_open_smb_message: "
64
"deleting mid %u len %u\n",
66
(unsigned int)pml->buf.length ));
69
struct timed_event *te;
71
+ if (pml->processed) {
72
+ /* A processed message should not be
74
+ DEBUG(0,("schedule_deferred_open_smb_message: LOGIC ERROR "
75
+ "message mid %u was already processed\n",
80
DEBUG(10,("schedule_deferred_open_smb_message: scheduling mid %u\n",
86
/****************************************************************************
87
- Return true if this mid is on the deferred queue.
88
+ Return true if this mid is on the deferred queue and was not yet processed.
89
****************************************************************************/
91
bool open_was_deferred(uint16 mid)
93
struct pending_message_list *pml;
95
for (pml = deferred_open_queue; pml; pml = pml->next) {
96
- if (SVAL(pml->buf.data,smb_mid) == mid) {
97
+ if (SVAL(pml->buf.data,smb_mid) == mid && !pml->processed) {
101
@@ -1299,7 +1320,6 @@
103
if (!change_to_user(conn,session_tag)) {
104
reply_nterror(req, NT_STATUS_DOS(ERRSRV, ERRbaduid));
105
- remove_deferred_open_smb_message(req->mid);