From 482f542aea3e6e9f2dd33f686c0edeee800f33dd Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 5 Feb 2007 14:58:36 +0000 Subject: [PATCH] r21147: committing changes for 3.0.24 --- WHATSNEW.txt | 46 +++++++++++++++++++++++++++++++++++ source/modules/vfs_afsacl.c | 2 +- source/nsswitch/winbind_nss_solaris.c | 6 +++-- source/printing/nt_printing.c | 10 ++++---- source/smbd/nttrans.c | 12 ++++++--- source/smbd/reply.c | 12 ++++----- source/smbd/trans2.c | 6 +++++ 7 files changed, 77 insertions(+), 17 deletions(-) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 49c5ba50623..d5f5cb3a8c0 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,49 @@ + ============================== + Release Notes for Samba 3.0.24 + Feb 5, 2007 + ============================== + +This is the latest stable release of Samba. This is the version +that production Samba servers should be running for all current +bug-fixes. Please read the changes in this section and for the +original 3.0.23 release regarding new features and difference +in behavior from previous releases. + +Important issues addressed in 3.0.24 include: + + o Fixes for the following security advisories: + - CVE-2007-0452 (Potential Denial of Service bug in smbd) + - CVE-2007-0453 (Buffer overrun in NSS host lookup Winbind + NSS library on Solaris) + - CVE-2007-0454 (Format string bug in afsacl.so VFS plugin) + + +###################################################################### +Changes +####### + +Changes since 3.0.23d +--------------------- + +commits +------- + +o Jeremy Allison + * Fix for CVE-2007-0452 & CVE-2007-0454 + + +o Olivier Gay + * Fix for CVE-2007-0453 + + +o Volker Lendecke + * Fix for CVE-2007-0452 + + + +Release Notes for older release follow: + + -------------------------------------------------- =============================== Release Notes for Samba 3.0.23d Nov 14, 2006 diff --git a/source/modules/vfs_afsacl.c b/source/modules/vfs_afsacl.c index 53272ca06fe..90a3045126d 100644 --- a/source/modules/vfs_afsacl.c +++ b/source/modules/vfs_afsacl.c @@ -901,7 +901,7 @@ static BOOL afs_set_nt_acl(vfs_handle_struct *handle, files_struct *fsp, ZERO_STRUCT(dir_acl); ZERO_STRUCT(file_acl); - pstr_sprintf(name, fsp->fsp_name); + pstrcpy(name, fsp->fsp_name); if (!fsp->is_directory) { /* We need to get the name of the directory containing the diff --git a/source/nsswitch/winbind_nss_solaris.c b/source/nsswitch/winbind_nss_solaris.c index 04f464a7983..3b069d339f2 100644 --- a/source/nsswitch/winbind_nss_solaris.c +++ b/source/nsswitch/winbind_nss_solaris.c @@ -493,7 +493,8 @@ _nss_winbind_ipnodes_getbyname(nss_backend_t* be, void *args) af = AF_INET6; #endif - strncpy(request.data.winsreq, argp->key.name, strlen(argp->key.name)) ; + strncpy(request.data.winsreq, argp->key.name, sizeof(request.data.winsreq) - 1); + request.data.winsreq[sizeof(request.data.winsreq) - 1] = '\0'; if( (ret = winbindd_request_response(WINBINDD_WINS_BYNAME, &request, &response)) == NSS_STATUS_SUCCESS ) { @@ -515,7 +516,8 @@ _nss_winbind_hosts_getbyname(nss_backend_t* be, void *args) ZERO_STRUCT(response); ZERO_STRUCT(request); - strncpy(request.data.winsreq, argp->key.name, strlen(argp->key.name)); + strncpy(request.data.winsreq, argp->key.name, sizeof(request.data.winsreq) - 1); + request.data.winsreq[sizeof(request.data.winsreq) - 1] = '\0'; if( (ret = winbindd_request_response(WINBINDD_WINS_BYNAME, &request, &response)) == NSS_STATUS_SUCCESS ) { diff --git a/source/printing/nt_printing.c b/source/printing/nt_printing.c index 9395275f8ac..25633bf4c8f 100644 --- a/source/printing/nt_printing.c +++ b/source/printing/nt_printing.c @@ -4839,7 +4839,7 @@ static BOOL delete_driver_files( NT_PRINTER_DRIVER_INFO_LEVEL_3 *info_3, struct pstrcpy( file, s ); driver_unix_convert(file, conn, NULL, &bad_path, &st); DEBUG(10,("deleting driverfile [%s]\n", s)); - unlink_internals(conn, 0, file, False); + unlink_internals(conn, 0, file, False, False); } } @@ -4848,7 +4848,7 @@ static BOOL delete_driver_files( NT_PRINTER_DRIVER_INFO_LEVEL_3 *info_3, struct pstrcpy( file, s ); driver_unix_convert(file, conn, NULL, &bad_path, &st); DEBUG(10,("deleting configfile [%s]\n", s)); - unlink_internals(conn, 0, file, False); + unlink_internals(conn, 0, file, False, False); } } @@ -4857,7 +4857,7 @@ static BOOL delete_driver_files( NT_PRINTER_DRIVER_INFO_LEVEL_3 *info_3, struct pstrcpy( file, s ); driver_unix_convert(file, conn, NULL, &bad_path, &st); DEBUG(10,("deleting datafile [%s]\n", s)); - unlink_internals(conn, 0, file, False); + unlink_internals(conn, 0, file, False, False); } } @@ -4866,7 +4866,7 @@ static BOOL delete_driver_files( NT_PRINTER_DRIVER_INFO_LEVEL_3 *info_3, struct pstrcpy( file, s ); driver_unix_convert(file, conn, NULL, &bad_path, &st); DEBUG(10,("deleting helpfile [%s]\n", s)); - unlink_internals(conn, 0, file, False); + unlink_internals(conn, 0, file, False, False); } } @@ -4882,7 +4882,7 @@ static BOOL delete_driver_files( NT_PRINTER_DRIVER_INFO_LEVEL_3 *info_3, struct pstrcpy( file, p ); driver_unix_convert(file, conn, NULL, &bad_path, &st); DEBUG(10,("deleting dependent file [%s]\n", file)); - unlink_internals(conn, 0, file, False); + unlink_internals(conn, 0, file, False, False); } i++; diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c index aa6f79e1657..15f427553c8 100644 --- a/source/smbd/nttrans.c +++ b/source/smbd/nttrans.c @@ -664,7 +664,7 @@ create_options = 0x%x root_dir_fid = 0x%x\n", if (lp_acl_check_permissions(SNUM(conn)) && (share_access & FILE_SHARE_DELETE) && (access_mask & DELETE_ACCESS)) { #endif - status = can_delete(conn, fname, file_attributes, bad_path, True); + status = can_delete(conn, fname, file_attributes, bad_path, True, False); /* We're only going to fail here if it's access denied, as that's the only error we care about for "can we delete this ?" questions. */ if (!NT_STATUS_IS_OK(status) && (NT_STATUS_EQUAL(status,NT_STATUS_ACCESS_DENIED) || @@ -1281,7 +1281,7 @@ static int call_nt_transact_create(connection_struct *conn, char *inbuf, char *o /* Setting FILE_SHARE_DELETE is the hint. */ if (lp_acl_check_permissions(SNUM(conn)) && (share_access & FILE_SHARE_DELETE) && (access_mask & DELETE_ACCESS)) { #endif - status = can_delete(conn, fname, file_attributes, bad_path, True); + status = can_delete(conn, fname, file_attributes, bad_path, True, False); /* We're only going to fail here if it's access denied, as that's the only error we care about for "can we delete this ?" questions. */ if (!NT_STATUS_IS_OK(status) && (NT_STATUS_EQUAL(status,NT_STATUS_ACCESS_DENIED) || @@ -1888,8 +1888,14 @@ static int call_nt_transact_rename(connection_struct *conn, char *inbuf, char *o status = rename_internals(conn, fsp->fsp_name, new_name, 0, replace_if_exists, path_contains_wcard); - if (!NT_STATUS_IS_OK(status)) + + if (!NT_STATUS_IS_OK(status)) { + if (open_was_deferred(SVAL(inbuf,smb_mid))) { + /* We have re-scheduled this call. */ + return -1; + } return ERROR_NT(status); + } /* * Rename was successful. diff --git a/source/smbd/reply.c b/source/smbd/reply.c index e68e8662d74..f0dc7af9fba 100644 --- a/source/smbd/reply.c +++ b/source/smbd/reply.c @@ -1865,7 +1865,7 @@ static NTSTATUS can_rename(connection_struct *conn, char *fname, uint16 dirtype, Check if a user is allowed to delete a file. ********************************************************************/ -NTSTATUS can_delete(connection_struct *conn, char *fname, uint32 dirtype, BOOL bad_path, BOOL check_is_at_open) +NTSTATUS can_delete(connection_struct *conn, char *fname, uint32 dirtype, BOOL bad_path, BOOL check_is_at_open, BOOL can_defer) { SMB_STRUCT_STAT sbuf; uint32 fattr; @@ -1938,7 +1938,7 @@ NTSTATUS can_delete(connection_struct *conn, char *fname, uint32 dirtype, BOOL b FILE_OPEN, 0, FILE_ATTRIBUTE_NORMAL, - 0, + can_defer ? 0 : INTERNAL_OPEN_ONLY, NULL); if (!fsp) { @@ -1960,7 +1960,7 @@ NTSTATUS can_delete(connection_struct *conn, char *fname, uint32 dirtype, BOOL b code. ****************************************************************************/ -NTSTATUS unlink_internals(connection_struct *conn, uint32 dirtype, char *name, BOOL has_wild) +NTSTATUS unlink_internals(connection_struct *conn, uint32 dirtype, char *name, BOOL has_wild, BOOL can_defer) { pstring directory; pstring mask; @@ -2000,7 +2000,7 @@ NTSTATUS unlink_internals(connection_struct *conn, uint32 dirtype, char *name, B if (!has_wild) { pstrcat(directory,"/"); pstrcat(directory,mask); - error = can_delete(conn,directory,dirtype,bad_path,False); + error = can_delete(conn,directory,dirtype,bad_path,False,can_defer); if (!NT_STATUS_IS_OK(error)) return error; @@ -2058,7 +2058,7 @@ NTSTATUS unlink_internals(connection_struct *conn, uint32 dirtype, char *name, B } slprintf(fname,sizeof(fname)-1, "%s/%s",directory,dname); - error = can_delete(conn,fname,dirtype,bad_path,False); + error = can_delete(conn,fname,dirtype,bad_path,False,False); if (!NT_STATUS_IS_OK(error)) { continue; } @@ -2104,7 +2104,7 @@ int reply_unlink(connection_struct *conn, char *inbuf,char *outbuf, int dum_size DEBUG(3,("reply_unlink : %s\n",name)); - status = unlink_internals(conn, dirtype, name, path_contains_wcard); + status = unlink_internals(conn, dirtype, name, path_contains_wcard, True); if (!NT_STATUS_IS_OK(status)) { if (open_was_deferred(SVAL(inbuf,smb_mid))) { /* We have re-scheduled this call. */ diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c index 391795eacc4..445570c6c45 100644 --- a/source/smbd/trans2.c +++ b/source/smbd/trans2.c @@ -4446,9 +4446,15 @@ size = %.0f, uid = %u, gid = %u, raw perms = 0%o\n", fname, newname )); status = rename_internals(conn, fname, base_name, 0, overwrite, False); } + if (!NT_STATUS_IS_OK(status)) { + if (open_was_deferred(SVAL(inbuf,smb_mid))) { + /* We have re-scheduled this call. */ + return -1; + } return ERROR_NT(status); } + process_pending_change_notify_queue((time_t)0); SSVAL(params,0,0); send_trans2_replies(outbuf, bufsize, params, 2, *ppdata, 0); -- 2.11.4.GIT