Samba problems

From: Drago (bugtraqat_private)
Date: Sun May 10 1998 - 09:43:32 PDT

Next message: Jason Ackley: "Re: Bay Networks Security Hole"

Previous message: matthew green: "Re: NetBSD-SA1998-003: problem with mmap(2) and append-only files."
Next in thread: David LeBlanc: "Re: Samba problems"
Reply: David LeBlanc: "Re: Samba problems"
Reply: Hank Leininger: "Re: Samba problems"
Reply: Marco S Hyman: "Re: Samba problems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mimeat_private for more info.

--8323328-1713499422-894818612=:5136
Content-Type: TEXT/PLAIN; charset=US-ASCII

Hello,

While browsing the samba sources a while ago I noticed a problems in a few
areas of the reply handling to file requests.  I just took a look at the
latest source code (samba-1.9.18p5) and found the same problems that I
saw in the previous release.  A possible buffer overflow exists in many
area's of the code.

smb.h:typedef char pstring[1024];

reply.c - reply_mv(char *inbuf,char *outbuf,int dum_size, int dum_buffsize):3066
        ...
        3200: pstring fname;
        ...
*       3206: sprintf(fname,"%s/%s",directory,dname);
        ..

I have seen alot of issues about strcpy() and how strncpy() should be used
instead.  Very few times have I seen anything about sprintf()/snprintf()
which also has the same issues that people have with strcpy() as far as
buffer overflows go.  An easy fix for this is to simply change line 3206
to use snprintf().  In many other area's of reply.c are the same problems
that are in reply_mv (reply_unlink(), and a few others).

I would recommend that you kill samba until a patch is released or patch
it yourself if you know how rewrite it correctly.

Someone feel free to try this against a windows machine, I haven't had a
chance to try it.  The program I included can be used to test a mounted
samba fs.

Later.

Dragoat_private

--8323328-1713499422-894818612=:5136
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="popsmb.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.3.96.980510124332.5136Bat_private>
Content-Description:

LyogQnkgRHJhZ28gKERyYWdvQERyYWdvLmNvbSkgKi8NCi8qIFJ1biB0aGlz
IGluIGEgc21iIG1vdW50ZWQgZGlyZWN0b3J5IHRvIHRlc3QgaWYgdGhlIHN5
c3RlbSAqLw0KLyogaXMgdnVsbmVyYWJsZSBpbiByZXBseV9tdiAqLw0KDQoj
aW5jbHVkZSA8dW5pc3RkLmg+DQojaW5jbHVkZSA8c3RkaW8uaD4NCg0KaW50
IG1haW4odm9pZCkgew0KICAgIGNoYXIgYnVmWzIwNDhdOw0KICAgIGludCBp
PTA7DQogICAgd2hpbGUgKGk8MjA0OCkgYnVmW2krK109J0YnOw0KICAgIGJ1
ZltpXT0wOw0KICAgIHJlbmFtZShidWYsIGJ1Zik7DQogICAgcmV0dXJuIDA7
DQp9DQo=
--8323328-1713499422-894818612=:5136--

Next message: Jason Ackley: "Re: Bay Networks Security Hole"
Previous message: matthew green: "Re: NetBSD-SA1998-003: problem with mmap(2) and append-only files."
Next in thread: David LeBlanc: "Re: Samba problems"
Reply: David LeBlanc: "Re: Samba problems"
Reply: Hank Leininger: "Re: Samba problems"
Reply: Marco S Hyman: "Re: Samba problems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:52:53 PDT