Critical Vulnerabilities in Samba
Posted May 25, 2007 18:06 UTC (Fri) by firstname.lastname@example.org
Parent article: Critical Vulnerabilities in Samba
Detailed explaination of the issues.
Actually we never forgot to check for NULL being returned from a *alloc (we pass Coverity testing remember). The problem was in the hand-marshalling RPC code. The bug was that an array size is passed in two places in DCE/RPC. We allocated using one size, then enumerated over the data with the second, *without checking that the sizes match* ! A second issue was an integer wrap where a size requested had one added to it without checkign for wrap, which allowed it to be sent as 0xFFFFFFFF and become 0. malloc(0) in glibc returns a valid heap address pointing to no addressable data. Thus an attacker could overwrite the heap.
The generic fix was to fix all of Samba to check for a zero-length alloc request and check this *before* the allocation routine was called.
The second problem was missing calling our sanitization function for incoming user-data. I fixed this be adding a generic shell-calling sanitization function that all shell requests are passed though.
to post comments)