Critical Vulnerabilities in Samba

Critical Vulnerabilities in Samba

Detailed explaination of the issues.

Actually we never forgot to check for NULL being returned from a *alloc (we pass Coverity testing remember). The problem was in the hand-marshalling RPC code. The bug was that an array size is passed in two places in DCE/RPC. We allocated using one size, then enumerated over the data with the second, *without checking that the sizes match* ! A second issue was an integer wrap where a size requested had one added to it without checkign for wrap, which allowed it to be sent as 0xFFFFFFFF and become 0. malloc(0) in glibc returns a valid heap address pointing to no addressable data. Thus an attacker could overwrite the heap.

The generic fix was to fix all of Samba to check for a zero-length alloc request and check this *before* the allocation routine was called.

The second problem was missing calling our sanitization function for incoming user-data. I fixed this be adding a generic shell-calling sanitization function that all shell requests are passed though.

Jeremy Allison,
Samba Team.