summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2007-12-13 16:44:24 -0800
committerJeremy Allison <jra@samba.org>2007-12-13 16:44:24 -0800
commit9e733924d9119a3a7a8b755557ffe458dda96d63 (patch)
tree08bd0cf07dbffb2e4982a0c7638c9e19adf1d856
parent733425f312729bf4c26bfcea866f310bc9b6b5be (diff)
downloadsamba-9e733924d9119a3a7a8b755557ffe458dda96d63.tar.gz
samba-9e733924d9119a3a7a8b755557ffe458dda96d63.tar.bz2
samba-9e733924d9119a3a7a8b755557ffe458dda96d63.zip
Arg. The fix for CVE-2007-6015 hadn't been merged into 3.2.
Do so now.... Jeremy. (This used to be commit 6b1246c29a0241c8e4bb98d659d847d010826b36)
-rw-r--r--source3/libsmb/clidgram.c6
-rw-r--r--source3/nmbd/nmbd_packets.c6
2 files changed, 12 insertions, 0 deletions
diff --git a/source3/libsmb/clidgram.c b/source3/libsmb/clidgram.c
index 82f874f383..76630bd504 100644
--- a/source3/libsmb/clidgram.c
+++ b/source3/libsmb/clidgram.c
@@ -75,6 +75,12 @@ bool cli_send_mailslot(struct messaging_context *msg_ctx,
/* Setup the smb part. */
ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */
memcpy(tmp,ptr,4);
+
+ if (smb_size + 17*2 + strlen(mailslot) + 1 + len > MAX_DGRAM_SIZE) {
+ DEBUG(0, ("cli_send_mailslot: Cannot write beyond end of packet\n"));
+ return False;
+ }
+
set_message(ptr,17,strlen(mailslot) + 1 + len,True);
memcpy(ptr,tmp,4);
diff --git a/source3/nmbd/nmbd_packets.c b/source3/nmbd/nmbd_packets.c
index b78ab5ba7e..349d36ce70 100644
--- a/source3/nmbd/nmbd_packets.c
+++ b/source3/nmbd/nmbd_packets.c
@@ -1918,6 +1918,12 @@ bool send_mailslot(bool unique, const char *mailslot,char *buf, size_t len,
/* Setup the smb part. */
ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */
memcpy(tmp,ptr,4);
+
+ if (smb_size + 17*2 + strlen(mailslot) + 1 + len > MAX_DGRAM_SIZE) {
+ DEBUG(0, ("send_mailslot: Cannot write beyond end of packet\n"));
+ return false;
+ }
+
set_message(ptr,17,strlen(mailslot) + 1 + len,True);
memcpy(ptr,tmp,4);