git.samba.org - obnox/samba-ctdb.git/commit

author	Jeremy Allison <jra@samba.org>
	Thu, 9 Sep 2010 13:48:23 +0000 (15:48 +0200)
committer	Michael Adam <obnox@samba.org>
	Wed, 15 Sep 2010 20:47:24 +0000 (22:47 +0200)
commit	946de2d0a6a1107bd80758f78b7cc68fd8d20134
tree	4a5533ac0201465c2c4cd741ad2e0a71321be74a	tree
parent	24f67cd3bde4e6e6bff4f503366abb17d3b389da	commit \| diff

Fix bug #7669.

Fix bug #7669 (buffer overflow in sid_parse() in Samba3 and dom_sid_parse in
Samba4).

CVE-2010-3069:

===========
Description
===========

All current released versions of Samba are vulnerable to
a buffer overrun vulnerability. The sid_parse() function
(and related dom_sid_parse() function in the source4 code)
do not correctly check their input lengths when reading a
binary representation of a Windows SID (Security ID). This
allows a malicious client to send a sid that can overflow
the stack variable that is being used to store the SID in the
Samba smbd server.

A connection to a file share is needed to exploit this
vulnerability, either authenticated or unauthenticated
(guest connection).
(cherry picked from commit df20a300758bc12286820e31fcf573bdfc2147bc)

libcli/security/dom_sid.c		diff \| blob \| history
libcli/security/dom_sid.h		diff \| blob \| history
source3/lib/util_sid.c		diff \| blob \| history
source3/libads/ldap.c		diff \| blob \| history
source3/libsmb/cliquota.c		diff \| blob \| history
source3/smbd/nttrans.c		diff \| blob \| history