From 5c91fa5e79fa71889cfeb5fec17774fd0512ce39 Mon Sep 17 00:00:00 2001
From: Alex Oprea <alex.oprea@inteno.se>
Date: Wed, 31 May 2017 16:50:03 +0200
Subject: [PATCH] samba3: security patches for CVE-2010-2063 CVE-2010-3069
 CVE-2012-1182

---
 samba3/Makefile                               |  2 +-
 .../010-samba-3.0.37-CVE-2010-2063.patch      | 38 +++++++++
 .../020-samba-3.0.37-CVE-2010-3069.patch      | 82 +++++++++++++++++++
 .../030-samba-3.0.37-CVE-2012-1182.patch      | 59 +++++++++++++
 4 files changed, 180 insertions(+), 1 deletion(-)
 create mode 100644 samba3/patches/010-samba-3.0.37-CVE-2010-2063.patch
 create mode 100644 samba3/patches/020-samba-3.0.37-CVE-2010-3069.patch
 create mode 100644 samba3/patches/030-samba-3.0.37-CVE-2012-1182.patch

diff --git a/samba3/Makefile b/samba3/Makefile
index b2e0a254d..fb0697f69 100644
--- a/samba3/Makefile
+++ b/samba3/Makefile
@@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=samba3
 PKG_VERSION:=3.0.37
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_MD5SUM:=11ed2bfef4090bd5736b194b43f67289
 
diff --git a/samba3/patches/010-samba-3.0.37-CVE-2010-2063.patch b/samba3/patches/010-samba-3.0.37-CVE-2010-2063.patch
new file mode 100644
index 000000000..b4657de2c
--- /dev/null
+++ b/samba3/patches/010-samba-3.0.37-CVE-2010-2063.patch
@@ -0,0 +1,38 @@
+diff --git a/source/smbd/process.c b/source/smbd/process.c
+index e861e16..6499bc7 100644
+--- a/source/smbd/process.c
++++ b/source/smbd/process.c
+@@ -1159,6 +1159,7 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize)
+ {
+ 	static char *orig_inbuf;
+ 	static char *orig_outbuf;
++	static int orig_size;
+ 	int smb_com1, smb_com2 = CVAL(inbuf,smb_vwv0);
+ 	unsigned smb_off2 = SVAL(inbuf,smb_vwv1);
+ 	char *inbuf2, *outbuf2;
+@@ -1178,6 +1179,13 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize)
+ 		/* this is the first part of the chain */
+ 		orig_inbuf = inbuf;
+ 		orig_outbuf = outbuf;
++		orig_size = size;
++	}
++
++	/* Validate smb_off2 */
++	if ((smb_off2 < smb_wct - 4) || orig_size < (smb_off2 + 4 - smb_wct)) {
++		exit_server_cleanly("Bad chained packet");
++		return -1;
+ 	}
+ 
+ 	/*
+@@ -1192,6 +1200,11 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize)
+ 	SSVAL(outbuf,smb_vwv1,smb_offset(outbuf+outsize,outbuf));
+ 	SCVAL(outbuf,smb_vwv0,smb_com2);
+ 
++	if (outsize <= smb_wct) {
++		exit_server_cleanly("Bad chained packet");
++		return -1;
++	}
++
+ 	/* remember how much the caller added to the chain, only counting stuff
+ 		after the parameter words */
+ 	chain_size += outsize - smb_wct;
diff --git a/samba3/patches/020-samba-3.0.37-CVE-2010-3069.patch b/samba3/patches/020-samba-3.0.37-CVE-2010-3069.patch
new file mode 100644
index 000000000..e4545d081
--- /dev/null
+++ b/samba3/patches/020-samba-3.0.37-CVE-2010-3069.patch
@@ -0,0 +1,82 @@
+diff --git a/source/lib/util_sid.c b/source/lib/util_sid.c
+index 032be9a..2c5a0c7 100644
+--- a/source/lib/util_sid.c
++++ b/source/lib/util_sid.c
+@@ -403,6 +403,9 @@ BOOL sid_parse(const char *inbuf, size_t len, DOM_SID *sid)
+ 
+ 	sid->sid_rev_num = CVAL(inbuf, 0);
+ 	sid->num_auths = CVAL(inbuf, 1);
++	if (sid->num_auths > MAXSUBAUTHS) {
++		return false;
++	}
+ 	memcpy(sid->id_auth, inbuf+2, 6);
+ 	if (len < 8 + sid->num_auths*4)
+ 		return False;
+diff --git a/source/libads/ldap.c b/source/libads/ldap.c
+index 7479894..eebc0fd 100644
+--- a/source/libads/ldap.c
++++ b/source/libads/ldap.c
+@@ -1771,7 +1771,9 @@ static void dump_sid(const char *field, struct berval **values)
+ 	int i;
+ 	for (i=0; values[i]; i++) {
+ 		DOM_SID sid;
+-		sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
++		if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) {
++			return;
++		}
+ 		printf("%s: %s\n", field, sid_string_static(&sid));
+ 	}
+ }
+diff --git a/source/libsmb/cliquota.c b/source/libsmb/cliquota.c
+index 2a47ae2..5721b67 100644
+--- a/source/libsmb/cliquota.c
++++ b/source/libsmb/cliquota.c
+@@ -117,7 +117,9 @@ static BOOL parse_user_quota_record(const char *rdata, unsigned int rdata_count,
+ 	}
+ #endif /* LARGE_SMB_OFF_T */
+ 	
+-	sid_parse(rdata+40,sid_len,&qt.sid);
++	if (!sid_parse(rdata+40,sid_len,&qt.sid)) {
++		return False;
++	}
+ 
+ 	qt.qtype = SMB_USER_QUOTA_TYPE;
+ 
+diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c
+index 2b9d5da..60bab7e 100644
+--- a/source/smbd/nttrans.c
++++ b/source/smbd/nttrans.c
+@@ -2424,7 +2424,10 @@ static int call_nt_transact_ioctl(connection_struct *conn, char *inbuf, char *ou
+ 		/* unknown 4 bytes: this is not the length of the sid :-(  */
+ 		/*unknown = IVAL(pdata,0);*/
+ 		
+-		sid_parse(pdata+4,sid_len,&sid);
++		if (!sid_parse(pdata+4,sid_len,&sid)) {
++			return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
++		}
++
+ 		DEBUGADD(10,("for SID: %s\n",sid_string_static(&sid)));
+ 
+ 		if (!sid_to_uid(&sid, &uid)) {
+@@ -2662,7 +2665,9 @@ static int call_nt_transact_get_user_quota(connection_struct *conn, char *inbuf,
+ 				break;
+ 			}
+ 
+-			sid_parse(pdata+8,sid_len,&sid);
++			if (!sid_parse(pdata+8,sid_len,&sid)) {
++				return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
++			}
+ 		
+ 			if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
+ 				ZERO_STRUCT(qt);
+@@ -2828,7 +2833,9 @@ static int call_nt_transact_set_user_quota(connection_struct *conn, char *inbuf,
+ 	}
+ #endif /* LARGE_SMB_OFF_T */
+ 	
+-	sid_parse(pdata+40,sid_len,&sid);
++	if (!sid_parse(pdata+40,sid_len,&sid)) {
++		return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
++	}
+ 	DEBUGADD(8,("SID: %s\n",sid_string_static(&sid)));
+ 
+ 	/* 44 unknown bytes left... */
diff --git a/samba3/patches/030-samba-3.0.37-CVE-2012-1182.patch b/samba3/patches/030-samba-3.0.37-CVE-2012-1182.patch
new file mode 100644
index 000000000..b1ee66d4e
--- /dev/null
+++ b/samba3/patches/030-samba-3.0.37-CVE-2012-1182.patch
@@ -0,0 +1,59 @@
+From e11637c2c89c2d38963311416c34a4767b19e175 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 17 Mar 2012 01:22:27 +0100
+Subject: [PATCH] s3:librpc/gen_ndr: fix array checks (bug #8815 / CVE-2012-1182)
+
+An Anonymous researcher working with HP's Zero Day Initiative program
+has found this and notified us.
+
+metze
+---
+ source/librpc/gen_ndr/ndr_wkssvc.c |   12 ++++++------
+ 1 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/source/librpc/gen_ndr/ndr_wkssvc.c b/source/librpc/gen_ndr/ndr_wkssvc.c
+index 2af3587..07cf1a1 100644
+--- a/source/librpc/gen_ndr/ndr_wkssvc.c
++++ b/source/librpc/gen_ndr/ndr_wkssvc.c
+@@ -1385,10 +1385,10 @@ NTSTATUS ndr_pull_USER_INFO_0_CONTAINER(struct ndr_pull *ndr, int ndr_flags, str
+ 			NDR_PULL_ALLOC_N(ndr, r->user0, ndr_get_array_size(ndr, &r->user0));
+ 			_mem_save_user0_1 = NDR_PULL_GET_MEM_CTX(ndr);
+ 			NDR_PULL_SET_MEM_CTX(ndr, r->user0, 0);
+-			for (cntr_user0_1 = 0; cntr_user0_1 < r->entries_read; cntr_user0_1++) {
++			for (cntr_user0_1 = 0; cntr_user0_1 < ndr_get_array_size(ndr, &r->user0); cntr_user0_1++) {
+ 				NDR_CHECK(ndr_pull_USER_INFO_0(ndr, NDR_SCALARS, &r->user0[cntr_user0_1]));
+ 			}
+-			for (cntr_user0_1 = 0; cntr_user0_1 < r->entries_read; cntr_user0_1++) {
++			for (cntr_user0_1 = 0; cntr_user0_1 < ndr_get_array_size(ndr, &r->user0); cntr_user0_1++) {
+ 				NDR_CHECK(ndr_pull_USER_INFO_0(ndr, NDR_BUFFERS, &r->user0[cntr_user0_1]));
+ 			}
+ 			NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user0_1, 0);
+@@ -1631,10 +1631,10 @@ NTSTATUS ndr_pull_USER_INFO_1_CONTAINER(struct ndr_pull *ndr, int ndr_flags, str
+ 			NDR_PULL_ALLOC_N(ndr, r->user1, ndr_get_array_size(ndr, &r->user1));
+ 			_mem_save_user1_1 = NDR_PULL_GET_MEM_CTX(ndr);
+ 			NDR_PULL_SET_MEM_CTX(ndr, r->user1, 0);
+-			for (cntr_user1_1 = 0; cntr_user1_1 < r->entries_read; cntr_user1_1++) {
++			for (cntr_user1_1 = 0; cntr_user1_1 < ndr_get_array_size(ndr, &r->user1); cntr_user1_1++) {
+ 				NDR_CHECK(ndr_pull_USER_INFO_1(ndr, NDR_SCALARS, &r->user1[cntr_user1_1]));
+ 			}
+-			for (cntr_user1_1 = 0; cntr_user1_1 < r->entries_read; cntr_user1_1++) {
++			for (cntr_user1_1 = 0; cntr_user1_1 < ndr_get_array_size(ndr, &r->user1); cntr_user1_1++) {
+ 				NDR_CHECK(ndr_pull_USER_INFO_1(ndr, NDR_BUFFERS, &r->user1[cntr_user1_1]));
+ 			}
+ 			NDR_PULL_SET_MEM_CTX(ndr, _mem_save_user1_1, 0);
+@@ -1953,10 +1953,10 @@ NTSTATUS ndr_pull_wkssvc_NetWkstaTransportCtr0(struct ndr_pull *ndr, int ndr_fla
+ 			NDR_PULL_ALLOC_N(ndr, r->array, ndr_get_array_size(ndr, &r->array));
+ 			_mem_save_array_1 = NDR_PULL_GET_MEM_CTX(ndr);
+ 			NDR_PULL_SET_MEM_CTX(ndr, r->array, 0);
+-			for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) {
++			for (cntr_array_1 = 0; cntr_array_1 < ndr_get_array_size(ndr, &r->array); cntr_array_1++) {
+ 				NDR_CHECK(ndr_pull_wkssvc_NetWkstaTransportInfo0(ndr, NDR_SCALARS, &r->array[cntr_array_1]));
+ 			}
+-			for (cntr_array_1 = 0; cntr_array_1 < r->count; cntr_array_1++) {
++			for (cntr_array_1 = 0; cntr_array_1 < ndr_get_array_size(ndr, &r->array); cntr_array_1++) {
+ 				NDR_CHECK(ndr_pull_wkssvc_NetWkstaTransportInfo0(ndr, NDR_BUFFERS, &r->array[cntr_array_1]));
+ 			}
+ 			NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_1, 0);
+-- 
+1.7.4.1
+