CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing…

… server memory to file.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020

Signed-off-by: Jeremy Allison <[email protected]>
Signed-off-by: Stefan Metzmacher <[email protected]>

source3/smbd/reply.c

@@ -4489,6 +4489,9 @@ void reply_writebraw(struct smb_request *req)
 	}
 
 	/* Ensure we don't write bytes past the end of this packet. */
+	/*
+	 * This already protects us against CVE-2017-12163.
+	 */
 	if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {
 		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
 		error_to_writebrawerr(req);
@@ -4589,6 +4592,11 @@ void reply_writebraw(struct smb_request *req)
 			exit_server_cleanly("secondary writebraw failed");
 		}
 
+		/*
+		 * We are not vulnerable to CVE-2017-12163
+		 * here as we are guarenteed to have numtowrite
+		 * bytes available - we just read from the client.
+		 */
 		nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);
 		if (nwritten == -1) {
 			TALLOC_FREE(buf);
@@ -4670,6 +4678,7 @@ void reply_writeunlock(struct smb_request *req)
 	connection_struct *conn = req->conn;
 	ssize_t nwritten = -1;
 	size_t numtowrite;
+	size_t remaining;
 	off_t startpos;
 	const char *data;
 	NTSTATUS status = NT_STATUS_OK;
@@ -4702,6 +4711,17 @@ void reply_writeunlock(struct smb_request *req)
 	startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
 	data = (const char *)req->buf + 3;
 
+	/*
+	 * Ensure client isn't asking us to write more than
+	 * they sent. CVE-2017-12163.
+	 */
+	remaining = smbreq_bufrem(req, data);
+	if (numtowrite > remaining) {
+		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+		END_PROFILE(SMBwriteunlock);
+		return;
+	}
+
 	if (!fsp->print_file && numtowrite > 0) {
 		init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
 		    (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -4783,6 +4803,7 @@ void reply_write(struct smb_request *req)
 {
 	connection_struct *conn = req->conn;
 	size_t numtowrite;
+	size_t remaining;
 	ssize_t nwritten = -1;
 	off_t startpos;
 	const char *data;
@@ -4823,6 +4844,17 @@ void reply_write(struct smb_request *req)
 	startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
 	data = (const char *)req->buf + 3;
 
+	/*
+	 * Ensure client isn't asking us to write more than
+	 * they sent. CVE-2017-12163.
+	 */
+	remaining = smbreq_bufrem(req, data);
+	if (numtowrite > remaining) {
+		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+		END_PROFILE(SMBwrite);
+		return;
+	}
+
 	if (!fsp->print_file) {
 		init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
 			(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -5049,6 +5081,9 @@ void reply_write_and_X(struct smb_request *req)
 			goto out;
 		}
 	} else {
+		/*
+		 * This already protects us against CVE-2017-12163.
+		 */
 		if (smb_doff > smblen || smb_doff + numtowrite < numtowrite ||
 				smb_doff + numtowrite > smblen) {
 			reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
@@ -5477,6 +5512,7 @@ void reply_writeclose(struct smb_request *req)
 {
 	connection_struct *conn = req->conn;
 	size_t numtowrite;
+	size_t remaining;
 	ssize_t nwritten = -1;
 	NTSTATUS close_status = NT_STATUS_OK;
 	off_t startpos;
@@ -5510,6 +5546,17 @@ void reply_writeclose(struct smb_request *req)
 	mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
 	data = (const char *)req->buf + 1;
 
+	/*
+	 * Ensure client isn't asking us to write more than
+	 * they sent. CVE-2017-12163.
+	 */
+	remaining = smbreq_bufrem(req, data);
+	if (numtowrite > remaining) {
+		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+		END_PROFILE(SMBwriteclose);
+		return;
+	}
+
 	if (fsp->print_file == NULL) {
 		init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
 		    (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -6105,6 +6152,9 @@ void reply_printwrite(struct smb_request *req)
 
 	numtowrite = SVAL(req->buf, 1);
 
+	/*
+	 * This already protects us against CVE-2017-12163.
+	 */
 	if (req->buflen < numtowrite + 3) {
 		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
 		END_PROFILE(SMBsplwr);