[samba4/f16] Fixes CVE-2012-1182.
asn
asn at fedoraproject.org
Thu Apr 19 10:13:57 UTC 2012
commit e5de034763a5b49e3c6fa2ddc02883c817e735b4
Author: Andreas Schneider <asn at cryptomilk.org>
Date: Fri Apr 13 11:03:23 2012 +0200
Fixes CVE-2012-1182.
samba4-4.0.0-alpha19-CVE-2012-1182.patch | 281 ++++++++++++++++++++++++++++++
samba4.spec | 7 +-
2 files changed, 287 insertions(+), 1 deletions(-)
---
diff --git a/samba4-4.0.0-alpha19-CVE-2012-1182.patch b/samba4-4.0.0-alpha19-CVE-2012-1182.patch
new file mode 100644
index 0000000..a3242a1
--- /dev/null
+++ b/samba4-4.0.0-alpha19-CVE-2012-1182.patch
@@ -0,0 +1,281 @@
+From 44bd0709f01861080496832590c395d688e28209 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze at samba.org>
+Date: Thu, 15 Mar 2012 13:09:51 +0100
+Subject: [PATCH 1/8] pidl/NDR/Parser: declare all union helper variables in ParseUnionPull()
+
+metze
+---
+ pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+Index: samba-4.0.0alpha16/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+===================================================================
+--- samba-4.0.0alpha16.orig/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
++++ samba-4.0.0alpha16/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+@@ -315,39 +315,99 @@ sub check_null_pointer($$$$)
+ }
+ }
+
+-#####################################################################
+-# parse an array - pull side
+-sub ParseArrayPullHeader($$$$$$)
++sub ParseArrayPullGetSize($$$$$$)
+ {
+ my ($self,$e,$l,$ndr,$var_name,$env) = @_;
+
+- my $length;
+ my $size;
+
+ if ($l->{IS_CONFORMANT}) {
+- $length = $size = "ndr_get_array_size($ndr, " . get_pointer_to($var_name) . ")";
++ $size = "ndr_get_array_size($ndr, " . get_pointer_to($var_name) . ")";
+ } elsif ($l->{IS_ZERO_TERMINATED} and $l->{SIZE_IS} == 0 and $l->{LENGTH_IS} == 0) { # Noheader arrays
+- $length = $size = "ndr_get_string_size($ndr, sizeof(*$var_name))";
++ $size = "ndr_get_string_size($ndr, sizeof(*$var_name))";
+ } else {
+- $length = $size = ParseExprExt($l->{SIZE_IS}, $env, $e->{ORIGINAL},
++ $size = ParseExprExt($l->{SIZE_IS}, $env, $e->{ORIGINAL},
+ check_null_pointer($e, $env, sub { $self->pidl(shift); },
+ "return ndr_pull_error($ndr, NDR_ERR_INVALID_POINTER, \"NULL Pointer for size_is()\");"),
+ check_fully_dereferenced($e, $env));
+ }
+
++ $self->pidl("size_$e->{NAME}_$l->{LEVEL_INDEX} = $size;");
++ my $array_size = "size_$e->{NAME}_$l->{LEVEL_INDEX}";
++
++ if (my $range = has_property($e, "range")) {
++ my ($low, $high) = split(/,/, $range, 2);
++ if ($low < 0) {
++ warning(0, "$low is invalid for the range of an array size");
++ }
++ if ($low == 0) {
++ $self->pidl("if ($array_size > $high) {");
++ } else {
++ $self->pidl("if ($array_size < $low || $array_size > $high) {");
++ }
++ $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");");
++ $self->pidl("}");
++ }
++
++ return $array_size;
++}
++
++#####################################################################
++# parse an array - pull side
++sub ParseArrayPullGetLength($$$$$$;$)
++{
++ my ($self,$e,$l,$ndr,$var_name,$env,$array_size) = @_;
++
++ if (not defined($array_size)) {
++ $array_size = $self->ParseArrayPullGetSize($e, $l, $ndr, $var_name, $env);
++ }
++
++ if (not $l->{IS_VARYING}) {
++ return $array_size;
++ }
++
++ my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")";
++ $self->pidl("length_$e->{NAME}_$l->{LEVEL_INDEX} = $length;");
++ my $array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}";
++
++ if (my $range = has_property($e, "range")) {
++ my ($low, $high) = split(/,/, $range, 2);
++ if ($low < 0) {
++ warning(0, "$low is invalid for the range of an array size");
++ }
++ if ($low == 0) {
++ $self->pidl("if ($array_length > $high) {");
++ } else {
++ $self->pidl("if ($array_length < $low || $array_length > $high) {");
++ }
++ $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");");
++ $self->pidl("}");
++ }
++
++ return $array_length;
++}
++
++#####################################################################
++# parse an array - pull side
++sub ParseArrayPullHeader($$$$$$)
++{
++ my ($self,$e,$l,$ndr,$var_name,$env) = @_;
++
+ if ((!$l->{IS_SURROUNDING}) and $l->{IS_CONFORMANT}) {
+ $self->pidl("NDR_CHECK(ndr_pull_array_size($ndr, " . get_pointer_to($var_name) . "));");
+ }
+
+ if ($l->{IS_VARYING}) {
+ $self->pidl("NDR_CHECK(ndr_pull_array_length($ndr, " . get_pointer_to($var_name) . "));");
+- $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")";
+ }
+
+- if ($length ne $size) {
+- $self->pidl("if ($length > $size) {");
++ my $array_size = $self->ParseArrayPullGetSize($e, $l, $ndr, $var_name, $env);
++ my $array_length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env, $array_size);
++
++ if ($array_length ne $array_size) {
++ $self->pidl("if ($array_length > $array_size) {");
+ $self->indent;
+- $self->pidl("return ndr_pull_error($ndr, NDR_ERR_ARRAY_SIZE, \"Bad array size %u should exceed array length %u\", $size, $length);");
++ $self->pidl("return ndr_pull_error($ndr, NDR_ERR_ARRAY_SIZE, \"Bad array size %u should exceed array length %u\", $array_size, $array_length);");
+ $self->deindent;
+ $self->pidl("}");
+ }
+@@ -377,10 +437,10 @@ sub ParseArrayPullHeader($$$$$$)
+ }
+
+ if (ArrayDynamicallyAllocated($e,$l) and not is_charset_array($e,$l)) {
+- $self->AllocateArrayLevel($e,$l,$ndr,$var_name,$size);
++ $self->AllocateArrayLevel($e,$l,$ndr,$var_name,$array_size);
+ }
+
+- return $length;
++ return $array_length;
+ }
+
+ sub compression_alg($$)
+@@ -1002,6 +1062,7 @@ sub ParseElementPullLevel
+ my($self,$e,$l,$ndr,$var_name,$env,$primitives,$deferred) = @_;
+
+ my $ndr_flags = CalcNdrFlags($l, $primitives, $deferred);
++ my $array_length = undef;
+
+ if ($l->{TYPE} eq "ARRAY" and ($l->{IS_VARYING} or $l->{IS_CONFORMANT})) {
+ $var_name = get_pointer_to($var_name);
+@@ -1015,20 +1076,7 @@ sub ParseElementPullLevel
+ $self->ParseSubcontextPullEnd($e, $l, $ndr, $env);
+ } elsif ($l->{TYPE} eq "ARRAY") {
+ my $length = $self->ParseArrayPullHeader($e, $l, $ndr, $var_name, $env);
+-
+- if (my $range = has_property($e, "range")) {
+- my ($low, $high) = split(/,/, $range, 2);
+- if ($low < 0) {
+- warning(0, "$low is invalid for the range of an array size");
+- }
+- if ($low == 0) {
+- $self->pidl("if ($length > $high) {");
+- } else {
+- $self->pidl("if ($length < $low || $length > $high) {");
+- }
+- $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");");
+- $self->pidl("}");
+- }
++ $array_length = $length;
+
+ my $nl = GetNextLevel($e, $l);
+
+@@ -1090,26 +1138,12 @@ sub ParseElementPullLevel
+ }
+ } elsif ($l->{TYPE} eq "ARRAY" and
+ not has_fast_array($e,$l) and not is_charset_array($e, $l)) {
+- my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL});
++ my $length = $array_length;
+ my $counter = "cntr_$e->{NAME}_$l->{LEVEL_INDEX}";
+ my $array_name = $var_name;
+
+- if ($l->{IS_VARYING}) {
+- $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")";
+- }
+-
+- if (my $range = has_property($e, "range")) {
+- my ($low, $high) = split(/,/, $range, 2);
+- if ($low < 0) {
+- warning(0, "$low is invalid for the range of an array size");
+- }
+- if ($low == 0) {
+- $self->pidl("if ($length > $high) {");
+- } else {
+- $self->pidl("if ($length < $low || $length > $high) {");
+- }
+- $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");");
+- $self->pidl("}");
++ if (not defined($length)) {
++ $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env);
+ }
+
+ $var_name = get_array_element($var_name, $counter);
+@@ -1536,16 +1570,21 @@ sub DeclarePtrVariables($$)
+ }
+ }
+
+-sub DeclareArrayVariables($$)
++sub DeclareArrayVariables($$;$)
+ {
+- my ($self,$e) = @_;
++ my ($self,$e,$pull) = @_;
+
+ foreach my $l (@{$e->{LEVELS}}) {
++ next if ($l->{TYPE} ne "ARRAY");
++ if (defined($pull)) {
++ $self->pidl("uint32_t size_$e->{NAME}_$l->{LEVEL_INDEX} = 0;");
++ if ($l->{IS_VARYING}) {
++ $self->pidl("uint32_t length_$e->{NAME}_$l->{LEVEL_INDEX} = 0;");
++ }
++ }
+ next if has_fast_array($e,$l);
+ next if is_charset_array($e,$l);
+- if ($l->{TYPE} eq "ARRAY") {
+- $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};");
+- }
++ $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};");
+ }
+ }
+
+@@ -1554,15 +1593,14 @@ sub DeclareArrayVariablesNoZero($$$)
+ my ($self,$e,$env) = @_;
+
+ foreach my $l (@{$e->{LEVELS}}) {
++ next if ($l->{TYPE} ne "ARRAY");
+ next if has_fast_array($e,$l);
+ next if is_charset_array($e,$l);
+- if ($l->{TYPE} eq "ARRAY") {
+- my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL});
+- if ($length eq "0") {
++ my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL});
++ if ($length eq "0") {
+ warning($e->{ORIGINAL}, "pointless array cntr: 'cntr_$e->{NAME}_$l->{LEVEL_INDEX}': length=$length");
+- } else {
++ } else {
+ $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};");
+- }
+ }
+ }
+ }
+@@ -1628,7 +1666,7 @@ sub ParseStructPull($$$$)
+ # declare any internal pointers we need
+ foreach my $e (@{$struct->{ELEMENTS}}) {
+ $self->DeclarePtrVariables($e);
+- $self->DeclareArrayVariables($e);
++ $self->DeclareArrayVariables($e, "pull");
+ $self->DeclareMemCtxVariables($e);
+ }
+
+@@ -1891,8 +1929,6 @@ sub ParseUnionPullPrimitives($$$$$)
+
+ if ($el->{TYPE} ne "EMPTY") {
+ $self->indent;
+- $self->DeclarePtrVariables($el);
+- $self->DeclareArrayVariables($el);
+ if (defined($e->{PROPERTIES}{relative_base})) {
+ $self->pidl("NDR_CHECK(ndr_pull_align($ndr, $el->{ALIGN}));");
+ # set the current offset as base for relative pointers
+@@ -1969,6 +2005,8 @@ sub ParseUnionPull($$$$)
+ next if ($el->{TYPE} eq "EMPTY");
+ next if ($double_cases{"$el->{NAME}"});
+ $self->DeclareMemCtxVariables($el);
++ $self->DeclarePtrVariables($el);
++ $self->DeclareArrayVariables($el, "pull");
+ $double_cases{"$el->{NAME}"} = 1;
+ }
+
+@@ -2334,7 +2372,7 @@ sub ParseFunctionPull($$)
+ # declare any internal pointers we need
+ foreach my $e (@{$fn->{ELEMENTS}}) {
+ $self->DeclarePtrVariables($e);
+- $self->DeclareArrayVariables($e);
++ $self->DeclareArrayVariables($e, "pull");
+ }
+
+ my %double_cases = ();
diff --git a/samba4.spec b/samba4.spec
index 1f07196..e35685e 100644
--- a/samba4.spec
+++ b/samba4.spec
@@ -1,4 +1,4 @@
-%define main_release 37
+%define main_release 38
%define samba4_version 4.0.0
%define talloc_version 2.0.5
@@ -45,6 +45,7 @@ Source5: %{name}.init
%endif
Patch01: samba-4.0.0alpha16.buildfix.patch
+Patch02: samba4-4.0.0-alpha19-CVE-2012-1182.patch
Requires(pre): /usr/sbin/groupadd
@@ -174,6 +175,7 @@ domains and to use Windows user and group accounts on Linux.
# copy Red Hat specific scripts
%patch01 -p1 -b .buildfix
+%patch02 -p1 -b .CVE-2012-1182
%build
%configure \
@@ -841,6 +843,9 @@ exit 0
%endif
%changelog
+* Fri Apr 13 2012 Andreas Schneider <asn at redhat.com> - 4.0.0-38.alpha16
+- Fixes CVE-2012-1182.
+
* Thu Aug 29 2011 Milan Crha <mcrha at redhat.com> - 4.0.0-37.alpha16
- Make 4.0.0-37.alpha16 release
More information about the scm-commits
mailing list