Samba 3.0.29 and beyond contain a change to deal with gcc 4
optimizations. Part of the change modified range checking for
client-generated offsets of secondary trans, trans2 and nttrans
requests. These requests are used to transfer arbitrary amounts
of memory from clients to servers and back using small SMB
requests and contain two offsets: One offset (A) pointing into
the PDU sent by the client and one (B) to direct the transferred
contents into the buffer built on the server side. While the range
checking for offset (B) is correct, a cut and paste error lets offset
(A) pass completely unchecked against overflow.
The buffers passed into trans, trans2 and nttrans undergo higher-level
processing like DCE/RPC requests or listing directories. The missing
bounds check means that a malicious client can make the server do this
higher-level processing on arbitrary memory contents of the smbd process
handling the request. It is unknown if that can be abused to pass arbitrary
memory contents back to the client, but an important barrier is missing from
the affected Samba versions.