search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
(parent: 237fc6b) | patch
Fix bug #7669.
commit0c8ba5758a9c6f720260bd3bcbbb013936baa367
authorJeremy Allison <jra@samba.org>
Thu, 9 Sep 2010 13:43:07 +0000 (9 15:43 +0200)
committerKarolin Seeger <kseeger@samba.org>
Wed, 15 Sep 2010 19:02:03 +0000 (15 21:02 +0200)
treeb10366355a2a1a5181448739f4871bc5dd613071tree | snapshot (tar.gz zip)
parent237fc6b80f4b281451e1c949018d92790f817f1fcommit | diff
Fix bug #7669.

Fix bug #7669 (buffer overflow in sid_parse() in Samba3 and dom_sid_parse in
Samba4).

CVE-2010-3069:

===========
Description
===========

All current released versions of Samba are vulnerable to
a buffer overrun vulnerability. The sid_parse() function
(and related dom_sid_parse() function in the source4 code)
do not correctly check their input lengths when reading a
binary representation of a Windows SID (Security ID). This
allows a malicious client to send a sid that can overflow
the stack variable that is being used to store the SID in the
Samba smbd server.

A connection to a file share is needed to exploit this
vulnerability, either authenticated or unauthenticated
(guest connection).
(cherry picked from commit df1c76e2275068d1006e82a4a21d42b58175268b)
source/lib/util_sid.c diff | blob | blame | history
source/libads/ldap.c diff | blob | blame | history
source/libsmb/cliquota.c diff | blob | blame | history
source/smbd/nttrans.c diff | blob | blame | history
Samba GIT mirror