Memory leak/Denial of service.

Description

Samba versions 3.6.0 to 3.6.2 inclusive are vulnerable to a memory
leak that can cause a server denial of service.

The Samba smbd daemon that listens for incoming connections leaks
a small amount of memory on every connection attempt. Although this
is a small leak, it happens on every connection even without successful
authentication. Thus an attacker can simply loop making connection
requests and cause the listening daemon to ever increase in size.

Eventually the server process will grow enough to either cause memory
allocations in other processes to fail, or be killed by the system
as part of its out of memory protection. Either way, denial of service
would be achieved.

The symptom that caused this issue to be discovered was extreme CPU use
on an affected system. This was caused by the child processes that were
forked from the parent attempting to free the leaked memory.

Workaround

None.

Patch Availability

A patch addressing this defect has been posted to

http://www.samba.org/samba/security/

Additionally, Samba 3.6.3 has been issued as security release to correct the
defect. Samba administrators running affected versions are advised to upgrade
to 3.6.3 or apply the patch as soon as possible.

Credits

The vulnerability was discovered and reported to the Samba Team by Youzhong
Yang and Ira Cooper of MathWorks. Patches were written and tested by Ira
Cooper of MathWorks and Jeremy Allison of the Samba Team.