From ced6c9df4328eea1c10bba11be8c02debe499ec4 Mon Sep 17 00:00:00 2001 From: Gustavo Zacarias Date: Thu, 28 Jul 2011 17:14:03 -0300 Subject: [PATCH] samba: bump to version 3.3.15 Bump samba to version 3.3.15 and add security patches for CVE-2011-2522 and CVE-2011-2694. Signed-off-by: Gustavo Zacarias Signed-off-by: Peter Korsgaard --- package/samba/samba-00CVE-2011-2694.patch | 55 ++ package/samba/samba-01CVE-2011-2522.patch | 749 ++++++++++++++++++++++ package/samba/samba-CVE-2011-0719.patch | 613 ------------------ package/samba/samba.mk | 7 +- 4 files changed, 808 insertions(+), 616 deletions(-) create mode 100644 package/samba/samba-00CVE-2011-2694.patch create mode 100644 package/samba/samba-01CVE-2011-2522.patch delete mode 100644 package/samba/samba-CVE-2011-0719.patch diff --git a/package/samba/samba-00CVE-2011-2694.patch b/package/samba/samba-00CVE-2011-2694.patch new file mode 100644 index 0000000000..167accfad4 --- /dev/null +++ b/package/samba/samba-00CVE-2011-2694.patch @@ -0,0 +1,55 @@ +From d401ccaedaec09ad6900ec24ecaf205bed3e3ac1 Mon Sep 17 00:00:00 2001 +From: Kai Blin +Date: Thu, 7 Jul 2011 10:03:33 +0200 +Subject: [PATCH] s3 swat: Fix possible XSS attack (bug #8289) + +Nobuhiro Tsuji of NTT DATA SECURITY CORPORATION reported a possible XSS attack +against SWAT, the Samba Web Administration Tool. The attack uses reflection to +insert arbitrary content into the "change password" page. + +This patch fixes the reflection issue by not printing user-specified content on +the website anymore. + +Signed-off-by: Kai Blin + +CVE-2011-2694. +--- + source/web/swat.c | 14 ++------------ + 1 files changed, 2 insertions(+), 12 deletions(-) + +diff --git a/source/web/swat.c b/source/web/swat.c +index 9c7294a..434b1ac 100644 +--- a/source/web/swat.c ++++ b/source/web/swat.c +@@ -1120,11 +1120,9 @@ static void chg_passwd(void) + if(cgi_variable(CHG_S_PASSWD_FLAG)) { + printf("

"); + if (rslt == True) { +- printf(_(" The passwd for '%s' has been changed."), cgi_variable_nonull(SWAT_USER)); +- printf("\n"); ++ printf("%s\n", _(" The passwd has been changed.")); + } else { +- printf(_(" The passwd for '%s' has NOT been changed."), cgi_variable_nonull(SWAT_USER)); +- printf("\n"); ++ printf("%s\n", _(" The passwd has NOT been changed.")); + } + } + +@@ -1138,14 +1136,6 @@ static void passwd_page(void) + { + const char *new_name = cgi_user_name(); + +- /* +- * After the first time through here be nice. If the user +- * changed the User box text to another users name, remember it. +- */ +- if (cgi_variable(SWAT_USER)) { +- new_name = cgi_variable_nonull(SWAT_USER); +- } +- + if (!new_name) new_name = ""; + + printf("

%s

\n", _("Server Password Management")); +-- +1.7.1 + diff --git a/package/samba/samba-01CVE-2011-2522.patch b/package/samba/samba-01CVE-2011-2522.patch new file mode 100644 index 0000000000..7d48b554c0 --- /dev/null +++ b/package/samba/samba-01CVE-2011-2522.patch @@ -0,0 +1,749 @@ +From b610e0cee563465c6b970647b215f8ae4d0c6599 Mon Sep 17 00:00:00 2001 +From: Kai Blin +Date: Fri, 8 Jul 2011 12:56:21 +0200 +Subject: [PATCH 01/12] s3 swat: Allow getting the user's HTTP auth password + +Signed-off-by: Kai Blin +--- + source/web/cgi.c | 9 +++++++++ + source/web/swat_proto.h | 1 + + 2 files changed, 10 insertions(+), 0 deletions(-) + +diff --git a/source/web/cgi.c b/source/web/cgi.c +index 72aa11c..ccdc3a7 100644 +--- a/source/web/cgi.c ++++ b/source/web/cgi.c +@@ -42,6 +42,7 @@ static char *query_string; + static const char *baseurl; + static char *pathinfo; + static char *C_user; ++static char *C_pass; + static bool inetd_server; + static bool got_request; + +@@ -388,6 +389,7 @@ static bool cgi_handle_authorization(char *line) + + /* Save the users name */ + C_user = SMB_STRDUP(user); ++ C_pass = SMB_STRDUP(user_pass); + TALLOC_FREE(pass); + return True; + } +@@ -422,6 +424,13 @@ char *cgi_user_name(void) + return(C_user); + } + ++/*************************************************************************** ++return a ptr to the users password ++ ***************************************************************************/ ++char *cgi_user_pass(void) ++{ ++ return(C_pass); ++} + + /*************************************************************************** + handle a file download +diff --git a/source/web/swat_proto.h b/source/web/swat_proto.h +index 0f84e4f..76f9c3c 100644 +--- a/source/web/swat_proto.h ++++ b/source/web/swat_proto.h +@@ -31,6 +31,7 @@ const char *cgi_variable(const char *name); + const char *cgi_variable_nonull(const char *name); + bool am_root(void); + char *cgi_user_name(void); ++char *cgi_user_pass(void); + void cgi_setup(const char *rootdir, int auth_required); + const char *cgi_baseurl(void); + const char *cgi_pathinfo(void); +-- +1.7.1 + + +From 3806fec53dcf3b6e5c3fd71917f9d67d47c65e32 Mon Sep 17 00:00:00 2001 +From: Kai Blin +Date: Fri, 8 Jul 2011 12:57:43 +0200 +Subject: [PATCH 02/12] s3 swat: Add support for anti-XSRF token + +Signed-off-by: Kai Blin +--- + source/web/swat.c | 54 +++++++++++++++++++++++++++++++++++++++++++++++ + source/web/swat_proto.h | 5 ++++ + 2 files changed, 59 insertions(+), 0 deletions(-) + +diff --git a/source/web/swat.c b/source/web/swat.c +index 434b1ac..e7d84e5 100644 +--- a/source/web/swat.c ++++ b/source/web/swat.c +@@ -29,6 +29,7 @@ + + #include "includes.h" + #include "web/swat_proto.h" ++#include "../lib/crypto/md5.h" + + static int demo_mode = False; + static int passwd_only = False; +@@ -50,6 +51,7 @@ static int iNumNonAutoPrintServices = 0; + #define DISABLE_USER_FLAG "disable_user_flag" + #define ENABLE_USER_FLAG "enable_user_flag" + #define RHOST "remote_host" ++#define XSRF_TOKEN "xsrf" + + #define _(x) lang_msg_rotate(talloc_tos(),x) + +@@ -138,6 +140,58 @@ static char *make_parm_name(const char *label) + return parmname; + } + ++void get_xsrf_token(const char *username, const char *pass, ++ const char *formname, char token_str[33]) ++{ ++ struct MD5Context md5_ctx; ++ uint8_t token[16]; ++ int i; ++ ++ token_str[0] = '\0'; ++ ZERO_STRUCT(md5_ctx); ++ MD5Init(&md5_ctx); ++ ++ MD5Update(&md5_ctx, (uint8_t *)formname, strlen(formname)); ++ if (username != NULL) { ++ MD5Update(&md5_ctx, (uint8_t *)username, strlen(username)); ++ } ++ if (pass != NULL) { ++ MD5Update(&md5_ctx, (uint8_t *)pass, strlen(pass)); ++ } ++ ++ MD5Final(token, &md5_ctx); ++ ++ for(i = 0; i < sizeof(token); i++) { ++ char tmp[3]; ++ ++ snprintf(tmp, sizeof(tmp), "%02x", token[i]); ++ strncat(token_str, tmp, sizeof(tmp)); ++ } ++} ++ ++void print_xsrf_token(const char *username, const char *pass, ++ const char *formname) ++{ ++ char token[33]; ++ ++ get_xsrf_token(username, pass, formname, token); ++ printf("\n", ++ XSRF_TOKEN, token); ++ ++} ++ ++bool verify_xsrf_token(const char *formname) ++{ ++ char expected[33]; ++ const char *username = cgi_user_name(); ++ const char *pass = cgi_user_pass(); ++ const char *token = cgi_variable_nonull(XSRF_TOKEN); ++ ++ get_xsrf_token(username, pass, formname, expected); ++ return (strncmp(expected, token, sizeof(expected)) == 0); ++} ++ ++ + /**************************************************************************** + include a lump of html in a page + ****************************************************************************/ +diff --git a/source/web/swat_proto.h b/source/web/swat_proto.h +index 76f9c3c..e66c942 100644 +--- a/source/web/swat_proto.h ++++ b/source/web/swat_proto.h +@@ -67,5 +67,10 @@ void status_page(void); + /* The following definitions come from web/swat.c */ + + const char *lang_msg_rotate(TALLOC_CTX *ctx, const char *msgid); ++void get_xsrf_token(const char *username, const char *pass, ++ const char *formname, char token_str[33]); ++void print_xsrf_token(const char *username, const char *pass, ++ const char *formname); ++bool verify_xsrf_token(const char *formname); + + #endif /* _SWAT_PROTO_H_ */ +-- +1.7.1 + + +From 3f38cf42facc38c19e0448cbae3078b9606b08e4 Mon Sep 17 00:00:00 2001 +From: Kai Blin +Date: Fri, 8 Jul 2011 12:58:53 +0200 +Subject: [PATCH 03/12] s3 swat: Add XSRF protection to status page + +Signed-off-by: Kai Blin +--- + source/web/statuspage.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +diff --git a/source/web/statuspage.c b/source/web/statuspage.c +index 8070ae7..fe545e4 100644 +--- a/source/web/statuspage.c ++++ b/source/web/statuspage.c +@@ -247,9 +247,14 @@ void status_page(void) + int nr_running=0; + bool waitup = False; + TALLOC_CTX *ctx = talloc_stackframe(); ++ const char form_name[] = "status"; + + smbd_pid = pid_to_procid(pidfile_pid("smbd")); + ++ if (!verify_xsrf_token(form_name)) { ++ goto output_page; ++ } ++ + if (cgi_variable("smbd_restart") || cgi_variable("all_restart")) { + stop_smbd(); + start_smbd(); +@@ -326,9 +331,11 @@ void status_page(void) + + initPid2Machine (); + ++output_page: + printf("

%s

\n", _("Server Status")); + + printf("
\n"); ++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name); + + if (!autorefresh) { + printf("\n", _("Auto Refresh")); +-- +1.7.1 + + +From ba996f0ae87f6bf4f19a4918e44dbd6d44a96561 Mon Sep 17 00:00:00 2001 +From: Kai Blin +Date: Fri, 8 Jul 2011 15:02:53 +0200 +Subject: [PATCH 04/12] s3 swat: Add XSRF protection to viewconfig page + +Signed-off-by: Kai Blin +--- + source/web/swat.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +diff --git a/source/web/swat.c b/source/web/swat.c +index e7d84e5..647126f 100644 +--- a/source/web/swat.c ++++ b/source/web/swat.c +@@ -664,13 +664,20 @@ static void welcome_page(void) + static void viewconfig_page(void) + { + int full_view=0; ++ const char form_name[] = "viewconfig"; ++ ++ if (!verify_xsrf_token(form_name)) { ++ goto output_page; ++ } + + if (cgi_variable("full_view")) { + full_view = 1; + } + ++output_page: + printf("

%s

\n", _("Current Config")); + printf("\n"); ++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name); + + if (full_view) { + printf("\n", _("Normal View")); +-- +1.7.1 + + +From 94f8482607a175c44436fae456fbda3624629982 Mon Sep 17 00:00:00 2001 +From: Kai Blin +Date: Fri, 8 Jul 2011 15:03:15 +0200 +Subject: [PATCH 05/12] s3 swat: Add XSRF protection to wizard_params page + +Signed-off-by: Kai Blin +--- + source/web/swat.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +diff --git a/source/web/swat.c b/source/web/swat.c +index 647126f..b7eec4a 100644 +--- a/source/web/swat.c ++++ b/source/web/swat.c +@@ -697,18 +697,25 @@ output_page: + static void wizard_params_page(void) + { + unsigned int parm_filter = FLAG_WIZARD; ++ const char form_name[] = "wizard_params"; + + /* Here we first set and commit all the parameters that were selected + in the previous screen. */ + + printf("

%s

\n", _("Wizard Parameter Edit Page")); + ++ if (!verify_xsrf_token(form_name)) { ++ goto output_page; ++ } ++ + if (cgi_variable("Commit")) { + commit_parameters(GLOBAL_SECTION_SNUM); + save_reload(0); + } + ++output_page: + printf("\n"); ++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name); + + if (have_write_access) { + printf("\n"); +-- +1.7.1 + + +From eb22fd73060534700d514ec295985549131c7569 Mon Sep 17 00:00:00 2001 +From: Kai Blin +Date: Fri, 8 Jul 2011 15:03:44 +0200 +Subject: [PATCH 06/12] s3 swat: Add XSRF protection to wizard page + +Signed-off-by: Kai Blin +--- + source/web/swat.c | 9 ++++++++- + 1 files changed, 8 insertions(+), 1 deletions(-) + +diff --git a/source/web/swat.c b/source/web/swat.c +index b7eec4a..b6e0c0f 100644 +--- a/source/web/swat.c ++++ b/source/web/swat.c +@@ -751,6 +751,11 @@ static void wizard_page(void) + int have_home = -1; + int HomeExpo = 0; + int SerType = 0; ++ const char form_name[] = "wizard"; ++ ++ if (!verify_xsrf_token(form_name)) { ++ goto output_page; ++ } + + if (cgi_variable("Rewrite")) { + (void) rewritecfg_file(); +@@ -841,10 +846,12 @@ static void wizard_page(void) + winstype = 3; + + role = lp_server_role(); +- ++ ++output_page: + /* Here we go ... */ + printf("

%s

\n", _("Samba Configuration Wizard")); + printf("\n"); ++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name); + + if (have_write_access) { + printf("%s\n", _("The \"Rewrite smb.conf file\" button will clear the smb.conf file of all default values and of comments.")); +-- +1.7.1 + + +From 8fb3064eeaa3640af6c8b91aa5859d8bfb6d0888 Mon Sep 17 00:00:00 2001 +From: Kai Blin +Date: Fri, 8 Jul 2011 15:04:12 +0200 +Subject: [PATCH 07/12] s3 swat: Add XSRF protection to globals page + +Signed-off-by: Kai Blin +--- + source/web/swat.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +diff --git a/source/web/swat.c b/source/web/swat.c +index b6e0c0f..5d11685 100644 +--- a/source/web/swat.c ++++ b/source/web/swat.c +@@ -920,9 +920,14 @@ static void globals_page(void) + { + unsigned int parm_filter = FLAG_BASIC; + int mode = 0; ++ const char form_name[] = "globals"; + + printf("

%s

\n", _("Global Parameters")); + ++ if (!verify_xsrf_token(form_name)) { ++ goto output_page; ++ } ++ + if (cgi_variable("Commit")) { + commit_parameters(GLOBAL_SECTION_SNUM); + save_reload(0); +@@ -935,7 +940,9 @@ static void globals_page(void) + if ( cgi_variable("AdvMode")) + mode = 1; + ++output_page: + printf("\n"); ++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name); + + ViewModeBoxes( mode ); + switch ( mode ) { +-- +1.7.1 + + +From ef457a20422cfa8231e25b539d2cd87f299686b9 Mon Sep 17 00:00:00 2001 +From: Kai Blin +Date: Fri, 8 Jul 2011 15:04:48 +0200 +Subject: [PATCH 08/12] s3 swat: Add XSRF protection to shares page + +Signed-off-by: Kai Blin +--- + source/web/swat.c | 18 +++++++++++++----- + 1 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/source/web/swat.c b/source/web/swat.c +index 5d11685..4544c31 100644 +--- a/source/web/swat.c ++++ b/source/web/swat.c +@@ -982,11 +982,17 @@ static void shares_page(void) + int mode = 0; + unsigned int parm_filter = FLAG_BASIC; + size_t converted_size; ++ const char form_name[] = "shares"; ++ ++ printf("

%s

\n", _("Share Parameters")); ++ ++ if (!verify_xsrf_token(form_name)) { ++ goto output_page; ++ } + + if (share) + snum = lp_servicenumber(share); + +- printf("

%s

\n", _("Share Parameters")); + + if (cgi_variable("Commit") && snum >= 0) { + commit_parameters(snum); +@@ -1012,10 +1018,6 @@ static void shares_page(void) + } + } + +- printf("\n"); +- +- printf("\n"); +- + if ( cgi_variable("ViewMode") ) + mode = atoi(cgi_variable_nonull("ViewMode")); + if ( cgi_variable("BasicMode")) +@@ -1023,6 +1025,12 @@ static void shares_page(void) + if ( cgi_variable("AdvMode")) + mode = 1; + ++output_page: ++ printf("\n"); ++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name); ++ ++ printf("
\n"); ++ + ViewModeBoxes( mode ); + switch ( mode ) { + case 0: +-- +1.7.1 + + +From 4850456845d2da5e3451716a5ad4ca0ef034e01f Mon Sep 17 00:00:00 2001 +From: Kai Blin +Date: Fri, 8 Jul 2011 15:05:38 +0200 +Subject: [PATCH 09/12] s3 swat: Add XSRF protection to password page + +Signed-off-by: Kai Blin +--- + source/web/swat.c | 11 ++++++++--- + 1 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/source/web/swat.c b/source/web/swat.c +index 4544c31..5242484 100644 +--- a/source/web/swat.c ++++ b/source/web/swat.c +@@ -1225,12 +1225,15 @@ static void chg_passwd(void) + static void passwd_page(void) + { + const char *new_name = cgi_user_name(); ++ const char passwd_form[] = "passwd"; ++ const char rpasswd_form[] = "rpasswd"; + + if (!new_name) new_name = ""; + + printf("

%s

\n", _("Server Password Management")); + + printf("\n"); ++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), passwd_form); + + printf("
\n"); + +@@ -1270,14 +1273,16 @@ static void passwd_page(void) + * Do some work if change, add, disable or enable was + * requested. It could be this is the first time through this + * code, so there isn't anything to do. */ +- if ((cgi_variable(CHG_S_PASSWD_FLAG)) || (cgi_variable(ADD_USER_FLAG)) || (cgi_variable(DELETE_USER_FLAG)) || +- (cgi_variable(DISABLE_USER_FLAG)) || (cgi_variable(ENABLE_USER_FLAG))) { ++ if (verify_xsrf_token(passwd_form) && ++ ((cgi_variable(CHG_S_PASSWD_FLAG)) || (cgi_variable(ADD_USER_FLAG)) || (cgi_variable(DELETE_USER_FLAG)) || ++ (cgi_variable(DISABLE_USER_FLAG)) || (cgi_variable(ENABLE_USER_FLAG)))) { + chg_passwd(); + } + + printf("

%s

\n", _("Client/Server Password Management")); + + printf("\n"); ++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), rpasswd_form); + + printf("
\n"); + +@@ -1310,7 +1315,7 @@ static void passwd_page(void) + * password somewhere other than the server. It could be this + * is the first time through this code, so there isn't + * anything to do. */ +- if (cgi_variable(CHG_R_PASSWD_FLAG)) { ++ if (verify_xsrf_token(passwd_form) && cgi_variable(CHG_R_PASSWD_FLAG)) { + chg_passwd(); + } + +-- +1.7.1 + + +From 407ae61fbfc8ee1643a4db8ea9b104f031b32e0f Mon Sep 17 00:00:00 2001 +From: Kai Blin +Date: Fri, 8 Jul 2011 15:06:13 +0200 +Subject: [PATCH 10/12] s3 swat: Add XSRF protection to printer page + +Signed-off-by: Kai Blin +--- + source/web/swat.c | 28 ++++++++++++++++++---------- + 1 files changed, 18 insertions(+), 10 deletions(-) + +diff --git a/source/web/swat.c b/source/web/swat.c +index 5242484..4582a63 100644 +--- a/source/web/swat.c ++++ b/source/web/swat.c +@@ -1332,18 +1332,15 @@ static void printers_page(void) + int i; + int mode = 0; + unsigned int parm_filter = FLAG_BASIC; ++ const char form_name[] = "printers"; ++ ++ if (!verify_xsrf_token(form_name)) { ++ goto output_page; ++ } + + if (share) + snum = lp_servicenumber(share); + +- printf("

%s

\n", _("Printer Parameters")); +- +- printf("

%s

\n", _("Important Note:")); +- printf("%s",_("Printer names marked with [*] in the Choose Printer drop-down box ")); +- printf("%s",_("are autoloaded printers from ")); +- printf("%s\n", _("Printcap Name")); +- printf("%s\n", _("Attempting to delete these printers from SWAT will have no effect.")); +- + if (cgi_variable("Commit") && snum >= 0) { + commit_parameters(snum); + if (snum >= iNumNonAutoPrintServices) +@@ -1372,8 +1369,6 @@ static void printers_page(void) + } + } + +- printf("\n"); +- + if ( cgi_variable("ViewMode") ) + mode = atoi(cgi_variable_nonull("ViewMode")); + if ( cgi_variable("BasicMode")) +@@ -1381,6 +1376,19 @@ static void printers_page(void) + if ( cgi_variable("AdvMode")) + mode = 1; + ++output_page: ++ printf("

%s

\n", _("Printer Parameters")); ++ ++ printf("

%s

\n", _("Important Note:")); ++ printf("%s",_("Printer names marked with [*] in the Choose Printer drop-down box ")); ++ printf("%s",_("are autoloaded printers from ")); ++ printf("%s\n", _("Printcap Name")); ++ printf("%s\n", _("Attempting to delete these printers from SWAT will have no effect.")); ++ ++ ++ printf("\n"); ++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name); ++ + ViewModeBoxes( mode ); + switch ( mode ) { + case 0: +-- +1.7.1 + + +From 11e281228f334bf3d384df5655136f0b4b4068aa Mon Sep 17 00:00:00 2001 +From: Kai Blin +Date: Sat, 9 Jul 2011 09:52:07 +0200 +Subject: [PATCH 11/12] s3 swat: Add time component to XSRF token + +Signed-off-by: Kai Blin +--- + source/web/swat.c | 28 ++++++++++++++++++++++++---- + source/web/swat_proto.h | 2 +- + 2 files changed, 25 insertions(+), 5 deletions(-) + +diff --git a/source/web/swat.c b/source/web/swat.c +index 4582a63..50df66e 100644 +--- a/source/web/swat.c ++++ b/source/web/swat.c +@@ -52,6 +52,8 @@ static int iNumNonAutoPrintServices = 0; + #define ENABLE_USER_FLAG "enable_user_flag" + #define RHOST "remote_host" + #define XSRF_TOKEN "xsrf" ++#define XSRF_TIME "xsrf_time" ++#define XSRF_TIMEOUT 300 + + #define _(x) lang_msg_rotate(talloc_tos(),x) + +@@ -141,7 +143,7 @@ static char *make_parm_name(const char *label) + } + + void get_xsrf_token(const char *username, const char *pass, +- const char *formname, char token_str[33]) ++ const char *formname, time_t xsrf_time, char token_str[33]) + { + struct MD5Context md5_ctx; + uint8_t token[16]; +@@ -152,6 +154,7 @@ void get_xsrf_token(const char *username, const char *pass, + MD5Init(&md5_ctx); + + MD5Update(&md5_ctx, (uint8_t *)formname, strlen(formname)); ++ MD5Update(&md5_ctx, (uint8_t *)&xsrf_time, sizeof(time_t)); + if (username != NULL) { + MD5Update(&md5_ctx, (uint8_t *)username, strlen(username)); + } +@@ -173,11 +176,13 @@ void print_xsrf_token(const char *username, const char *pass, + const char *formname) + { + char token[33]; ++ time_t xsrf_time = time(NULL); + +- get_xsrf_token(username, pass, formname, token); ++ get_xsrf_token(username, pass, formname, xsrf_time, token); + printf("\n", + XSRF_TOKEN, token); +- ++ printf("\n", ++ XSRF_TIME, (long long int)xsrf_time); + } + + bool verify_xsrf_token(const char *formname) +@@ -186,8 +191,23 @@ bool verify_xsrf_token(const char *formname) + const char *username = cgi_user_name(); + const char *pass = cgi_user_pass(); + const char *token = cgi_variable_nonull(XSRF_TOKEN); ++ const char *time_str = cgi_variable_nonull(XSRF_TIME); ++ time_t xsrf_time = 0; ++ time_t now = time(NULL); ++ ++ if (sizeof(time_t) == sizeof(int)) { ++ xsrf_time = atoi(time_str); ++ } else if (sizeof(time_t) == sizeof(long)) { ++ xsrf_time = atol(time_str); ++ } else if (sizeof(time_t) == sizeof(long long)) { ++ xsrf_time = atoll(time_str); ++ } ++ ++ if (abs(now - xsrf_time) > XSRF_TIMEOUT) { ++ return false; ++ } + +- get_xsrf_token(username, pass, formname, expected); ++ get_xsrf_token(username, pass, formname, xsrf_time, expected); + return (strncmp(expected, token, sizeof(expected)) == 0); + } + +diff --git a/source/web/swat_proto.h b/source/web/swat_proto.h +index e66c942..424a3af 100644 +--- a/source/web/swat_proto.h ++++ b/source/web/swat_proto.h +@@ -68,7 +68,7 @@ void status_page(void); + + const char *lang_msg_rotate(TALLOC_CTX *ctx, const char *msgid); + void get_xsrf_token(const char *username, const char *pass, +- const char *formname, char token_str[33]); ++ const char *formname, time_t xsrf_time, char token_str[33]); + void print_xsrf_token(const char *username, const char *pass, + const char *formname); + bool verify_xsrf_token(const char *formname); +-- +1.7.1 + + +From 3973cfa50024983618a44ffdb9f756b642b85be7 Mon Sep 17 00:00:00 2001 +From: Kai Blin +Date: Tue, 12 Jul 2011 08:08:24 +0200 +Subject: [PATCH 12/12] s3 swat: Create random nonce in CGI mode + +In CGI mode, we don't get access to the user's password, which would +reduce the hash used so far to parameters an attacker can easily guess. +To work around this, read the nonce from secrets.tdb or generate one if +it's not there. +Also populate the C_user field so we can use that for token creation. + +Signed-off-by: Kai Blin + +The last 12 patches address bug #8290 (CSRF vulnerability in SWAT). +This addresses CVE-2011-2522 (Cross-Site Request Forgery in SWAT). +--- + source/web/cgi.c | 18 +++++++++++++++++- + source/web/swat.c | 1 - + 2 files changed, 17 insertions(+), 2 deletions(-) + +diff --git a/source/web/cgi.c b/source/web/cgi.c +index ccdc3a7..890ac8e 100644 +--- a/source/web/cgi.c ++++ b/source/web/cgi.c +@@ -19,6 +19,7 @@ + + #include "includes.h" + #include "web/swat_proto.h" ++#include "secrets.h" + + #define MAX_VARIABLES 10000 + +@@ -321,7 +322,22 @@ static void cgi_web_auth(void) + exit(0); + } + +- setuid(0); ++ C_user = SMB_STRDUP(user); ++ ++ if (!setuid(0)) { ++ C_pass = secrets_fetch_generic("root", "SWAT"); ++ if (C_pass == NULL) { ++ char *tmp_pass = NULL; ++ tmp_pass = generate_random_str(16); ++ if (tmp_pass == NULL) { ++ printf("%sFailed to create random nonce for " ++ "SWAT session\n
%s\n", head, tail); ++ exit(0); ++ } ++ secrets_store_generic("root", "SWAT", tmp_pass); ++ C_pass = SMB_STRDUP(tmp_pass); ++ } ++ } + setuid(pwd->pw_uid); + if (geteuid() != pwd->pw_uid || getuid() != pwd->pw_uid) { + printf("%sFailed to become user %s - uid=%d/%d
%s\n", +diff --git a/source/web/swat.c b/source/web/swat.c +index 50df66e..146f1cf 100644 +--- a/source/web/swat.c ++++ b/source/web/swat.c +@@ -29,7 +29,6 @@ + + #include "includes.h" + #include "web/swat_proto.h" +-#include "../lib/crypto/md5.h" + + static int demo_mode = False; + static int passwd_only = False; +-- +1.7.1 + diff --git a/package/samba/samba-CVE-2011-0719.patch b/package/samba/samba-CVE-2011-0719.patch deleted file mode 100644 index 1cb8580aab..0000000000 --- a/package/samba/samba-CVE-2011-0719.patch +++ /dev/null @@ -1,613 +0,0 @@ -From 724e44eed299c618066dec411530aa9f156119ec Mon Sep 17 00:00:00 2001 -From: Karolin Seeger -Date: Sun, 27 Feb 2011 18:28:29 +0100 -Subject: [PATCH] Fix denial of service - memory corruption. - -CVE-2011-0719 - -Fix bug #7949 (DoS in Winbind and smbd with many file descriptors open). - -All current released versions of Samba are vulnerable to -a denial of service caused by memory corruption. Range -checks on file descriptors being used in the FD_SET macro -were not present allowing stack corruption. This can cause -the Samba code to crash or to loop attempting to select -on a bad file descriptor set. - -A connection to a file share, or a local account is needed -to exploit this problem, either authenticated or unauthenticated -(guest connection). - -Currently we do not believe this flaw is exploitable -beyond a crash or causing the code to loop, but on the -advice of our security reviewers we are releasing fixes -in case an exploit is discovered at a later date. ---- - source/client/client.c | 4 +++- - source/client/dnsbrowse.c | 12 ++++++++++++ - source/lib/events.c | 13 +++++++++++++ - source/lib/packet.c | 5 +++++ - source/lib/readline.c | 5 +++++ - source/lib/select.c | 6 ++++++ - source/lib/util_sock.c | 11 +++++++++-- - source/libaddns/dnssock.c | 6 +++++- - source/libsmb/nmblib.c | 5 +++++ - source/nmbd/nmbd_packets.c | 24 ++++++++++++++++++++++-- - source/nsswitch/wb_common.c | 22 ++++++++++++++++++++-- - source/printing/printing.c | 5 +++++ - source/smbd/dnsregister.c | 6 ++++++ - source/smbd/oplock.c | 5 ++++- - source/smbd/oplock_irix.c | 5 +++++ - source/smbd/process.c | 2 +- - source/smbd/server.c | 29 +++++++++++++++++++++-------- - source/utils/smbfilter.c | 8 ++++++-- - source/winbindd/winbindd.c | 12 +++++++++++- - source/winbindd/winbindd_dual.c | 7 +++++++ - 20 files changed, 171 insertions(+), 21 deletions(-) - -diff --git a/source/client/client.c b/source/client/client.c -index 53bd9e6..a989441 100644 ---- a/source/client/client.c -+++ b/source/client/client.c -@@ -4379,8 +4379,10 @@ static void readline_callback(void) - - again: - -- if (cli->fd == -1) -+ if (cli->fd < 0 || cli->fd >= FD_SETSIZE) { -+ errno = EBADF; - return; -+ } - - FD_ZERO(&fds); - FD_SET(cli->fd,&fds); -diff --git a/source/client/dnsbrowse.c b/source/client/dnsbrowse.c -index 5e3a4de..aa2fb22 100644 ---- a/source/client/dnsbrowse.c -+++ b/source/client/dnsbrowse.c -@@ -81,6 +81,11 @@ static void do_smb_resolve(struct mdns_smbsrv_result *browsesrv) - TALLOC_FREE(fdset); - } - -+ if (mdnsfd < 0 || mdnsfd >= FD_SETSIZE) { -+ errno = EBADF; -+ break; -+ } -+ - fdsetsz = howmany(mdnsfd + 1, NFDBITS) * sizeof(fd_mask); - fdset = TALLOC_ZERO(ctx, fdsetsz); - FD_SET(mdnsfd, fdset); -@@ -183,6 +188,13 @@ int do_smb_browse(void) - - fdsetsz = howmany(mdnsfd + 1, NFDBITS) * sizeof(fd_mask); - fdset = TALLOC_ZERO(ctx, fdsetsz); -+ -+ if (mdnsfd < 0 || mdnsfd >= FD_SETSIZE) { -+ errno = EBADF; -+ TALLOC_FREE(ctx); -+ return 1; -+ } -+ - FD_SET(mdnsfd, fdset); - - tv.tv_sec = 1; -diff --git a/source/lib/events.c b/source/lib/events.c -index cd20ceb..2ddbab7 100644 ---- a/source/lib/events.c -+++ b/source/lib/events.c -@@ -140,6 +140,11 @@ struct fd_event *event_add_fd(struct event_context *event_ctx, - { - struct fd_event *fde; - -+ if (fd < 0 || fd >= FD_SETSIZE) { -+ errno = EBADF; -+ return NULL; -+ } -+ - if (!(fde = TALLOC_P(mem_ctx, struct fd_event))) { - return NULL; - } -@@ -190,6 +195,14 @@ bool event_add_to_select_args(struct event_context *event_ctx, - bool ret = False; - - for (fde = event_ctx->fd_events; fde; fde = fde->next) { -+ if (fde->fd < 0 || fde->fd >= FD_SETSIZE) { -+ /* We ignore here, as it shouldn't be -+ possible to add an invalid fde->fd -+ but we don't want FD_SET to see an -+ invalid fd. */ -+ continue; -+ } -+ - if (fde->flags & EVENT_FD_READ) { - FD_SET(fde->fd, read_fds); - ret = True; -diff --git a/source/lib/packet.c b/source/lib/packet.c -index e048616..512c7f2 100644 ---- a/source/lib/packet.c -+++ b/source/lib/packet.c -@@ -106,6 +106,11 @@ NTSTATUS packet_fd_read_sync(struct packet_context *ctx) - int res; - fd_set r_fds; - -+ if (ctx->fd < 0 || ctx->fd >= FD_SETSIZE) { -+ errno = EBADF; -+ return map_nt_error_from_unix(errno); -+ } -+ - FD_ZERO(&r_fds); - FD_SET(ctx->fd, &r_fds); - -diff --git a/source/lib/readline.c b/source/lib/readline.c -index 34867aa..70a82f2 100644 ---- a/source/lib/readline.c -+++ b/source/lib/readline.c -@@ -91,6 +91,11 @@ static char *smb_readline_replacement(const char *prompt, void (*callback)(void) - timeout.tv_sec = 5; - timeout.tv_usec = 0; - -+ if (fd < 0 || fd >= FD_SETSIZE) { -+ errno = EBADF; -+ break; -+ } -+ - FD_ZERO(&fds); - FD_SET(fd,&fds); - -diff --git a/source/lib/select.c b/source/lib/select.c -index c3da6a9..2d5f02c 100644 ---- a/source/lib/select.c -+++ b/source/lib/select.c -@@ -61,6 +61,11 @@ int sys_select(int maxfd, fd_set *readfds, fd_set *writefds, fd_set *errorfds, s - if (pipe(select_pipe) == -1) - smb_panic("Could not create select pipe"); - -+ if (select_pipe[0] < 0 || select_pipe[0] >= FD_SETSIZE) { -+ errno = EBADF; -+ return -1; -+ } -+ - /* - * These next two lines seem to fix a bug with the Linux - * 2.0.x kernel (and probably other UNIXes as well) where -@@ -87,6 +92,7 @@ int sys_select(int maxfd, fd_set *readfds, fd_set *writefds, fd_set *errorfds, s - readfds2 = &readfds_buf; - FD_ZERO(readfds2); - } -+ - FD_SET(select_pipe[0], readfds2); - - errno = 0; -diff --git a/source/lib/util_sock.c b/source/lib/util_sock.c -index 650bd13..8aa2c97 100644 ---- a/source/lib/util_sock.c -+++ b/source/lib/util_sock.c -@@ -960,6 +960,11 @@ NTSTATUS read_socket_with_timeout(int fd, char *buf, - timeout.tv_usec = (long)(1000 * (time_out % 1000)); - - for (nread=0; nread < mincnt; ) { -+ if (fd < 0 || fd >= FD_SETSIZE) { -+ errno = EBADF; -+ return map_nt_error_from_unix(EBADF); -+ } -+ - FD_ZERO(&fds); - FD_SET(fd,&fds); - -@@ -1492,7 +1497,7 @@ bool open_any_socket_out(struct sockaddr_storage *addrs, int num_addrs, - - for (i=0; i= FD_SETSIZE) - goto done; - set_blocking(sockets[i], false); - } -@@ -1541,8 +1546,10 @@ bool open_any_socket_out(struct sockaddr_storage *addrs, int num_addrs, - FD_ZERO(&r_fds); - - for (i=0; i= FD_SETSIZE) { -+ /* This cannot happen - ignore if so. */ - continue; -+ } - FD_SET(sockets[i], &wr_fds); - FD_SET(sockets[i], &r_fds); - if (sockets[i]>maxfd) -diff --git a/source/libaddns/dnssock.c b/source/libaddns/dnssock.c -index 7c8bd41..f427bd5 100644 ---- a/source/libaddns/dnssock.c -+++ b/source/libaddns/dnssock.c -@@ -218,7 +218,11 @@ static DNS_ERROR read_all(int fd, uint8 *data, size_t len) - while (total < len) { - ssize_t ret; - int fd_ready; -- -+ -+ if (fd < 0 || fd >= FD_SETSIZE) { -+ return ERROR_DNS_SOCKET_ERROR; -+ } -+ - FD_ZERO( &rfds ); - FD_SET( fd, &rfds ); - -diff --git a/source/libsmb/nmblib.c b/source/libsmb/nmblib.c -index bfe5e7b..768e54d 100644 ---- a/source/libsmb/nmblib.c -+++ b/source/libsmb/nmblib.c -@@ -1097,6 +1097,11 @@ struct packet_struct *receive_packet(int fd,enum packet_type type,int t) - struct timeval timeout; - int ret; - -+ if (fd < 0 || fd >= FD_SETSIZE) { -+ errno = EBADF; -+ return NULL; -+ } -+ - FD_ZERO(&fds); - FD_SET(fd,&fds); - timeout.tv_sec = t/1000; -diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c -index 4b97819..03e5362 100644 ---- a/source/nmbd/nmbd_packets.c -+++ b/source/nmbd/nmbd_packets.c -@@ -1683,7 +1683,7 @@ static bool create_listen_fdset(fd_set **ppset, int **psock_array, int *listen_n - for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) - count++; - -- if((count*2) + 2 > FD_SETSIZE) { -+ if((count*2) + 2 >= FD_SETSIZE) { - DEBUG(0,("create_listen_fdset: Too many file descriptors needed (%d). We can \ - only use %d.\n", (count*2) + 2, FD_SETSIZE)); - SAFE_FREE(pset); -@@ -1699,24 +1699,44 @@ only use %d.\n", (count*2) + 2, FD_SETSIZE)); - FD_ZERO(pset); - - /* Add in the broadcast socket on 137. */ -+ if (ClientNMB < 0 || ClientNMB >= FD_SETSIZE) { -+ errno = EBADF; -+ SAFE_FREE(pset); -+ return True; -+ } -+ - FD_SET(ClientNMB,pset); - sock_array[num++] = ClientNMB; - *maxfd = MAX( *maxfd, ClientNMB); - - /* Add in the 137 sockets on all the interfaces. */ - for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) { -+ if (subrec->nmb_sock < 0 || subrec->nmb_sock >= FD_SETSIZE) { -+ /* We have to ignore sockets outside FD_SETSIZE. */ -+ continue; -+ } - FD_SET(subrec->nmb_sock,pset); - sock_array[num++] = subrec->nmb_sock; - *maxfd = MAX( *maxfd, subrec->nmb_sock); - } - - /* Add in the broadcast socket on 138. */ -+ if (ClientDGRAM < 0 || ClientDGRAM >= FD_SETSIZE) { -+ errno = EBADF; -+ SAFE_FREE(pset); -+ return True; -+ } -+ - FD_SET(ClientDGRAM,pset); - sock_array[num++] = ClientDGRAM; - *maxfd = MAX( *maxfd, ClientDGRAM); - - /* Add in the 138 sockets on all the interfaces. */ - for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) { -+ if (subrec->dgram_sock < 0 || subrec->dgram_sock >= FD_SETSIZE) { -+ /* We have to ignore sockets outside FD_SETSIZE. */ -+ continue; -+ } - FD_SET(subrec->dgram_sock,pset); - sock_array[num++] = subrec->dgram_sock; - *maxfd = MAX( *maxfd, subrec->dgram_sock); -@@ -1767,7 +1787,7 @@ bool listen_for_packets(bool run_election) - - #ifndef SYNC_DNS - dns_fd = asyncdns_fd(); -- if (dns_fd != -1) { -+ if (dns_fd >= 0 && dns_fd < FD_SETSIZE) { - FD_SET(dns_fd, &r_fds); - maxfd = MAX( maxfd, dns_fd); - } -diff --git a/source/nsswitch/wb_common.c b/source/nsswitch/wb_common.c -index a164621..4f76bd0 100644 ---- a/source/nsswitch/wb_common.c -+++ b/source/nsswitch/wb_common.c -@@ -240,6 +240,12 @@ static int winbind_named_pipe_sock(const char *dir) - - switch (errno) { - case EINPROGRESS: -+ -+ if (fd < 0 || fd >= FD_SETSIZE) { -+ errno = EBADF; -+ goto error_out; -+ } -+ - FD_ZERO(&w_fds); - FD_SET(fd, &w_fds); - tv.tv_sec = CONNECT_TIMEOUT - wait_time; -@@ -383,7 +389,13 @@ int winbind_write_sock(void *buffer, int count, int recursing, int need_priv) - while(nwritten < count) { - struct timeval tv; - fd_set r_fds; -- -+ -+ if (winbindd_fd < 0 || winbindd_fd >= FD_SETSIZE) { -+ errno = EBADF; -+ winbind_close_sock(); -+ return -1; -+ } -+ - /* Catch pipe close on other end by checking if a read() - call would not block by calling select(). */ - -@@ -443,7 +455,13 @@ int winbind_read_sock(void *buffer, int count) - while(nread < count) { - struct timeval tv; - fd_set r_fds; -- -+ -+ if (winbindd_fd < 0 || winbindd_fd >= FD_SETSIZE) { -+ errno = EBADF; -+ winbind_close_sock(); -+ return -1; -+ } -+ - /* Catch pipe close on other end by checking if a read() - call would not block by calling select(). */ - -diff --git a/source/printing/printing.c b/source/printing/printing.c -index a9272eb..c3b8c61 100644 ---- a/source/printing/printing.c -+++ b/source/printing/printing.c -@@ -1407,6 +1407,11 @@ void start_background_queue(void) - exit(1); - } - -+ if (pause_pipe[1] < 0 || pause_pipe[1] >= FD_SETSIZE) { -+ DEBUG(5,("start_background_queue: pipe fd out of range.\n")); -+ exit(1); -+ } -+ - background_lpq_updater_pid = sys_fork(); - - if (background_lpq_updater_pid == -1) { -diff --git a/source/smbd/dnsregister.c b/source/smbd/dnsregister.c -index f02739e..3c689b9 100644 ---- a/source/smbd/dnsregister.c -+++ b/source/smbd/dnsregister.c -@@ -125,6 +125,9 @@ void dns_register_smbd(struct dns_reg_state ** dns_state_ptr, - */ - if (dns_state->srv_ref != NULL) { - mdnsd_conn_fd = DNSServiceRefSockFD(dns_state->srv_ref); -+ if (mdnsd_conn_fd < 0 || mdnsd_conn_fd >= FD_SETSIZE) { -+ return; -+ } - FD_SET(mdnsd_conn_fd, listen_set); - return; - } -@@ -156,6 +159,9 @@ void dns_register_smbd(struct dns_reg_state ** dns_state_ptr, - } - - mdnsd_conn_fd = DNSServiceRefSockFD(dns_state->srv_ref); -+ if (mdnsd_conn_fd < 0 || mdnsd_conn_fd >= FD_SETSIZE) { -+ return; -+ } - FD_SET(mdnsd_conn_fd, listen_set); - *maxfd = MAX(*maxfd, mdnsd_conn_fd); - *timeout = timeval_zero(); -diff --git a/source/smbd/oplock.c b/source/smbd/oplock.c -index a07d05d..5ae3fdf 100644 ---- a/source/smbd/oplock.c -+++ b/source/smbd/oplock.c -@@ -241,7 +241,10 @@ bool downgrade_oplock(files_struct *fsp) - int oplock_notify_fd(void) - { - if (koplocks) { -- return koplocks->notification_fd; -+ int fd = koplocks->notification_fd; -+ if (fd < 0 || fd >= FD_SETSIZE) { -+ return -1; -+ } - } - - return -1; -diff --git a/source/smbd/oplock_irix.c b/source/smbd/oplock_irix.c -index 8c287c9..6e86fac 100644 ---- a/source/smbd/oplock_irix.c -+++ b/source/smbd/oplock_irix.c -@@ -284,6 +284,11 @@ struct kernel_oplocks *irix_init_kernel_oplocks(void) - return False; - } - -+ if (pfd[0] < 0 || pfd[0] >= FD_SETSIZE) { -+ DEBUG(0,("setup_kernel_oplock_pipe: fd out of range.\n")); -+ return False; -+ } -+ - oplock_pipe_read = pfd[0]; - oplock_pipe_write = pfd[1]; - -diff --git a/source/smbd/process.c b/source/smbd/process.c -index 403c7c6..9b8f29b 100644 ---- a/source/smbd/process.c -+++ b/source/smbd/process.c -@@ -698,7 +698,7 @@ static void async_processing(fd_set *pfds) - - static int select_on_fd(int fd, int maxfd, fd_set *fds) - { -- if (fd != -1) { -+ if (fd != -1 && fd < FD_SETSIZE) { - FD_SET(fd, fds); - maxfd = MAX(maxfd, fd); - } -diff --git a/source/smbd/server.c b/source/smbd/server.c -index 5129484..a670334 100644 ---- a/source/smbd/server.c -+++ b/source/smbd/server.c -@@ -209,7 +209,13 @@ static bool open_sockets_inetd(void) - /* Started from inetd. fd 0 is the socket. */ - /* We will abort gracefully when the client or remote system - goes away */ -- smbd_set_server_fd(dup(0)); -+ int fd = dup(0); -+ -+ if (fd < 0 || fd >= FD_SETSIZE) { -+ return false; -+ } -+ -+ smbd_set_server_fd(fd); - - /* close our standard file descriptors */ - close_low_fds(False); /* Don't close stderr */ -@@ -436,7 +442,8 @@ static bool open_sockets_smbd(bool is_daemon, bool interactive, const char *smb_ - num_sockets == 0 ? 0 : 2, - ifss, - true); -- if(s == -1) { -+ if(s < 0 || s >= FD_SETSIZE) { -+ close(s); - continue; - } - -@@ -516,7 +523,7 @@ static bool open_sockets_smbd(bool is_daemon, bool interactive, const char *smb_ - num_sockets == 0 ? 0 : 2, - &ss, - true); -- if (s == -1) { -+ if (s < 0 || s >= FD_SETSIZE) { - continue; - } - -@@ -709,6 +716,7 @@ static bool open_sockets_smbd(bool is_daemon, bool interactive, const char *smb_ - struct sockaddr addr; - socklen_t in_addrlen = sizeof(addr); - pid_t child = 0; -+ int fd; - - s = -1; - for(i = 0; i < num_sockets; i++) { -@@ -721,16 +729,21 @@ static bool open_sockets_smbd(bool is_daemon, bool interactive, const char *smb_ - } - } - -- smbd_set_server_fd(accept(s,&addr,&in_addrlen)); -- -- if (smbd_server_fd() == -1 && errno == EINTR) -+ fd = accept(s,&addr,&in_addrlen); -+ if (fd == -1 && errno == EINTR) - continue; -- -- if (smbd_server_fd() == -1) { -+ if (fd == -1) { - DEBUG(2,("open_sockets_smbd: accept: %s\n", - strerror(errno))); - continue; - } -+ if (fd < 0 || fd >= FD_SETSIZE) { -+ DEBUG(2,("open_sockets_smbd: bad fd %d\n", -+ fd )); -+ continue; -+ } -+ -+ smbd_set_server_fd(fd); - - /* Ensure child is set to blocking mode */ - set_blocking(smbd_server_fd(),True); -diff --git a/source/utils/smbfilter.c b/source/utils/smbfilter.c -index 1e22a40..45f9207 100644 ---- a/source/utils/smbfilter.c -+++ b/source/utils/smbfilter.c -@@ -162,8 +162,8 @@ static void filter_child(int c, struct sockaddr_storage *dest_ss) - int num; - - FD_ZERO(&fds); -- if (s != -1) FD_SET(s, &fds); -- if (c != -1) FD_SET(c, &fds); -+ if (s >= 0 && s < FD_SETSIZE) FD_SET(s, &fds); -+ if (c >= 0 && c < FD_SETSIZE) FD_SET(c, &fds); - - num = sys_select_intr(MAX(s+1, c+1),&fds,NULL,NULL,NULL); - if (num <= 0) continue; -@@ -235,6 +235,10 @@ static void start_filter(char *desthost) - struct sockaddr_storage ss; - socklen_t in_addrlen = sizeof(ss); - -+ if (s < 0 || s >= FD_SETSIZE) { -+ break; -+ } -+ - FD_ZERO(&fds); - FD_SET(s, &fds); - -diff --git a/source/winbindd/winbindd.c b/source/winbindd/winbindd.c -index 1d618e2..6b5c251 100644 ---- a/source/winbindd/winbindd.c -+++ b/source/winbindd/winbindd.c -@@ -836,7 +836,8 @@ static void process_loop(void) - listen_sock = open_winbindd_socket(); - listen_priv_sock = open_winbindd_priv_socket(); - -- if (listen_sock == -1 || listen_priv_sock == -1) { -+ if (listen_sock < 0 || listen_sock >= FD_SETSIZE || -+ listen_priv_sock < 0 || listen_priv_sock >= FD_SETSIZE) { - perror("open_winbind_socket"); - exit(1); - } -@@ -861,6 +862,9 @@ static void process_loop(void) - - FD_ZERO(&r_fds); - FD_ZERO(&w_fds); -+ -+ /* We check the range for listen_sock and -+ listen_priv_sock above. */ - FD_SET(listen_sock, &r_fds); - FD_SET(listen_priv_sock, &r_fds); - -@@ -890,6 +894,12 @@ static void process_loop(void) - } - - for (ev = fd_events; ev; ev = ev->next) { -+ if (ev->fd < 0 || ev->fd >= FD_SETSIZE) { -+ /* Ignore here - event_add_to_select_args -+ should make this impossible. */ -+ continue; -+ } -+ - if (ev->flags & EVENT_FD_READ) { - FD_SET(ev->fd, &r_fds); - maxfd = MAX(ev->fd, maxfd); -diff --git a/source/winbindd/winbindd_dual.c b/source/winbindd/winbindd_dual.c -index ff004f2..b30ec20 100644 ---- a/source/winbindd/winbindd_dual.c -+++ b/source/winbindd/winbindd_dual.c -@@ -1250,6 +1250,12 @@ static bool fork_domain_child(struct winbindd_child *child) - return False; - } - -+ if (fdpair[0] < 0 || fdpair[0] >= FD_SETSIZE) { -+ DEBUG(0, ("fork_domain_child: bad fd range (%d)\n", fdpair[0])); -+ errno = EBADF; -+ return False; -+ } -+ - ZERO_STRUCT(state); - state.pid = sys_getpid(); - -@@ -1405,6 +1411,7 @@ static bool fork_domain_child(struct winbindd_child *child) - message_dispatch(winbind_messaging_context()); - - FD_ZERO(&read_fds); -+ /* We check state.sock against FD_SETSIZE above. */ - FD_SET(state.sock, &read_fds); - - ret = sys_select(state.sock + 1, &read_fds, NULL, NULL, tp); --- -1.6.4.2 - diff --git a/package/samba/samba.mk b/package/samba/samba.mk index a3bd63cb77..dfc7636846 100644 --- a/package/samba/samba.mk +++ b/package/samba/samba.mk @@ -3,9 +3,10 @@ # samba # ############################################################# -SAMBA_VERSION:=3.3.14 -SAMBA_SOURCE:=samba-$(SAMBA_VERSION).tar.gz -SAMBA_SITE:=http://samba.org/samba/ftp/stable/ + +SAMBA_VERSION = 3.3.15 +SAMBA_SOURCE = samba-$(SAMBA_VERSION).tar.gz +SAMBA_SITE = http://samba.org/samba/ftp/stable/ SAMBA_SUBDIR = source SAMBA_AUTORECONF = NO -- 2.30.2