On Sun, 2004-12-19 at 23:29, Moritz Muehlenhoff wrote:
> Hi,
> the upstream patch against 3.0.9 wraps all memory allocations, strdup()s,
> etc. into macros with boundary checks. Backporting this to 2.2.3 seems
> way too intrusive and error-prone, so may I suggest the following fix:
>=20
> According to the iDefense advisory it exploits an integer overflow in the
> allocation of memory in source/rpc_parse/parse_sec.c:218:
> If psa->num_aces is larger than 38347922, the value of 38347922+1 multipl=
ied
> with the value of ace[0] (112) is larger than an unsigned integer and
> it wraps around.
>=20
> So, as there is no way in regular Samba operation that a user requests
> more than 38 million ACL entries the simplest and least intrusive way to
> prevent this seems to be a simple sanity check that caps psa->num_aces:
>=20
> if (psa->num_aces > 38347922)
> psa->num_aces =3D 38347922;
>=20
> Does this seem like an acceptable solution? I haven't evaluated all possi=
ble
> call flow that leads to the vulnerable code, though.
I would suggest not. If you were to limit the number of ACL entries, I
would set it much lower, but there are just so many places this can
happen, and I'm sure there will be other bugs out there. I think SUSE
had (or was going to produce) a patch for their enterprise customers (in
a similar boat), so poke about in their SRPM when it's out (I've not
kept track).
Andrew Bartlett
--=20
Andrew Bartlett <email address hidden>
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College <email address hidden>
--=-Lh6Y1E0WVTj66O7SuBnQ
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
Message-Id: <email address hidden>
Date: Mon, 27 Dec 2004 23:16:13 +1100
From: Andrew Bartlett <email address hidden>
To: Moritz Muehlenhoff <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#286023: CAN-2004-1154 proposed fix for woody
--=-Lh6Y1E0WVTj 66O7SuBnQ Transfer- Encoding: quoted-printable
Content-Type: text/plain
Content-
On Sun, 2004-12-19 at 23:29, Moritz Muehlenhoff wrote: rpc_parse/ parse_sec. c:218:
> Hi,
> the upstream patch against 3.0.9 wraps all memory allocations, strdup()s,
> etc. into macros with boundary checks. Backporting this to 2.2.3 seems
> way too intrusive and error-prone, so may I suggest the following fix:
>=20
> According to the iDefense advisory it exploits an integer overflow in the
> allocation of memory in source/
> If psa->num_aces is larger than 38347922, the value of 38347922+1 multipl=
ied
> with the value of ace[0] (112) is larger than an unsigned integer and
> it wraps around.
>=20
> So, as there is no way in regular Samba operation that a user requests
> more than 38 million ACL entries the simplest and least intrusive way to
> prevent this seems to be a simple sanity check that caps psa->num_aces:
>=20
> if (psa->num_aces > 38347922)
> psa->num_aces =3D 38347922;
>=20
> Does this seem like an acceptable solution? I haven't evaluated all possi=
ble
> call flow that leads to the vulnerable code, though.
I would suggest not. If you were to limit the number of ACL entries, I
would set it much lower, but there are just so many places this can
happen, and I'm sure there will be other bugs out there. I think SUSE
had (or was going to produce) a patch for their enterprise customers (in
a similar boat), so poke about in their SRPM when it's out (I've not
kept track).
Andrew Bartlett
--=20 samba.org
Andrew Bartlett <email address hidden>
Authentication Developer, Samba Team http://
Student Network Administrator, Hawker College <email address hidden>
--=-Lh6Y1E0WVTj 66O7SuBnQ pgp-signature; name=signature.asc Description: This is a digitally signed message part
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
8Wyi0NrsRAqgvAJ 99fusMYkjRzxc3t hCV9ttpfjv6EACg s2Vs quooTlIXK2c=
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQBBz5Kcz4A
zgac/FjvM6A+
=pJrv
-----END PGP SIGNATURE-----
--=-Lh6Y1E0WVTj 66O7SuBnQ- -