Potential leak of arbitrary memory contents

Description

Samba 3.0.29 and beyond contain a change to deal with gcc 4
optimizations. Part of the change modified range checking for client-generated
offsets of secondary trans, trans2 and nttrans requests. These requests are
used to transfer arbitrary amounts of memory from clients to servers and back
using small SMB requests and contain two offsets: One offset (A) pointing into
the PDU sent by the client and one (B) to direct the transferred contents into
the buffer built on the server side. While the range checking for offset (B) is
correct, a cut&paste error lets offset (A) pass completely unchecked against
overflow.

The buffers passed into trans, trans2 and nttrans undergo higher-level
processing like DCE/RPC requests or listing directories. The missing bounds
check means that a malicious client can make the server do this higher-level
processing on arbitrary memory contents of the smbd process handling the
request. It is unknown if that can be abused to pass arbitrary memory contents
back to the client, but an important barrier is missing from the affected Samba
versions.

Patch Availability

A patch addressing this defect has been posted to

http://www.samba.org/samba/security/

Additionally, Samba 3.2.5 and 3.0.33 have been issued as security
releases to correct the defect. Samba administrators are
advised to upgrade to 3.2.5 (or 3.0.33) or apply the patch as soon
as possible.

Workaround

None.

Credits

This flaw was found during a code review internal to the Samba Team.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team