samba: fix CVE-2017-7494

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 3f0d3d12da)
This commit is contained in:
Stijn Tintel 2017-05-24 14:44:03 +02:00
parent 1165c0ae0d
commit 51db1f5a9a
2 changed files with 33 additions and 4 deletions

View File

@ -0,0 +1,29 @@
From d2bc9f3afe23ee04d237ae9f4511fbe59a27ff54 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Mon, 8 May 2017 21:40:40 +0200
Subject: [PATCH] CVE-2017-7494: rpc_server3: Refuse to open pipe names with /
inside
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12780
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
source3/rpc_server/srv_pipe.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -473,6 +473,11 @@ bool is_known_pipename(const char *cli_f
pipename += 1;
}
+ if (strchr(pipename, '/')) {
+ DEBUG(1, ("Refusing open on pipe %s\n", pipename));
+ return false;
+ }
+
if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
DEBUG(10, ("refusing spoolss access\n"));
return false;

View File

@ -303,7 +303,7 @@
--- a/source3/rpc_server/srv_pipe.c --- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c
@@ -991,7 +991,6 @@ static bool api_pipe_bind_req(struct pip @@ -996,7 +996,6 @@ static bool api_pipe_bind_req(struct pip
if (!NT_STATUS_IS_OK(status)) { if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("api_pipe_bind_req: invalid pdu: %s\n", DEBUG(1, ("api_pipe_bind_req: invalid pdu: %s\n",
nt_errstr(status))); nt_errstr(status)));
@ -311,7 +311,7 @@
goto err_exit; goto err_exit;
} }
@@ -1325,7 +1324,6 @@ bool api_pipe_bind_auth3(struct pipes_st @@ -1330,7 +1329,6 @@ bool api_pipe_bind_auth3(struct pipes_st
if (!NT_STATUS_IS_OK(status)) { if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("api_pipe_bind_auth3: invalid pdu: %s\n", DEBUG(1, ("api_pipe_bind_auth3: invalid pdu: %s\n",
nt_errstr(status))); nt_errstr(status)));
@ -319,7 +319,7 @@
goto err; goto err;
} }
@@ -1483,7 +1481,6 @@ static bool api_pipe_alter_context(struc @@ -1488,7 +1486,6 @@ static bool api_pipe_alter_context(struc
if (!NT_STATUS_IS_OK(status)) { if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("api_pipe_alter_context: invalid pdu: %s\n", DEBUG(1, ("api_pipe_alter_context: invalid pdu: %s\n",
nt_errstr(status))); nt_errstr(status)));
@ -327,7 +327,7 @@
goto err_exit; goto err_exit;
} }
@@ -2057,7 +2054,6 @@ static bool process_request_pdu(struct p @@ -2062,7 +2059,6 @@ static bool process_request_pdu(struct p
if (!NT_STATUS_IS_OK(status)) { if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("process_request_pdu: invalid pdu: %s\n", DEBUG(1, ("process_request_pdu: invalid pdu: %s\n",
nt_errstr(status))); nt_errstr(status)));