| Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame] | 1 | From a6b1e0fd14311587186e40d09bff5c8c3aada2e4 Mon Sep 17 00:00:00 2001 |
| 2 | From: Amos Jeffries <squid3@treenet.co.nz> |
| 3 | Date: Sat, 25 Jul 2015 05:53:16 -0700 |
| 4 | Subject: [PATCH] smblib: fix buffer over-read |
| 5 | |
| 6 | When parsing SMB LanManager packets with invalid protocol ID and the |
| 7 | default set of Squid supported protocols. It may access memory outside |
| 8 | the buffer storing protocol names. |
| 9 | |
| 10 | smblib is only used by already deprecated helpers which are deprecated |
| 11 | due to far more significant NTLM protocol issues. It will also only |
| 12 | result in packets being rejected later with invalid protocol names. So |
| 13 | this is a minor bug rather than a vulnerability. |
| 14 | |
| 15 | Detected by Coverity Scan. Issue 1256165 |
| 16 | --- |
| 17 | Signed-off-by: Khem Raj <raj.khem@gmail.com> |
| 18 | Upstream-Status: Backport |
| 19 | |
| 20 | lib/smblib/smblib-util.c | 6 +++++- |
| 21 | 1 file changed, 5 insertions(+), 1 deletion(-) |
| 22 | |
| 23 | diff --git a/lib/smblib/smblib-util.c b/lib/smblib/smblib-util.c |
| 24 | index 6139ae2..e722cbb 100644 |
| 25 | --- a/lib/smblib/smblib-util.c |
| 26 | +++ b/lib/smblib/smblib-util.c |
| 27 | @@ -204,7 +204,11 @@ int SMB_Figure_Protocol(const char *dialects[], int prot_index) |
| 28 | { |
| 29 | int i; |
| 30 | |
| 31 | - if (dialects == SMB_Prots) { /* The jobs is easy, just index into table */ |
| 32 | + // prot_index may be a value outside the table SMB_Types[] |
| 33 | + // which holds data at offsets 0 to 11 |
| 34 | + int ourType = (prot_index < 0 || prot_index > 11); |
| 35 | + |
| 36 | + if (ourType && dialects == SMB_Prots) { /* The jobs is easy, just index into table */ |
| 37 | |
| 38 | return(SMB_Types[prot_index]); |
| 39 | } else { /* Search through SMB_Prots looking for a match */ |