diff options
author | Jeremy Allison <jra@samba.org> | 2007-12-13 16:44:24 -0800 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2007-12-13 16:44:24 -0800 |
commit | 9e733924d9119a3a7a8b755557ffe458dda96d63 (patch) | |
tree | 08bd0cf07dbffb2e4982a0c7638c9e19adf1d856 | |
parent | 733425f312729bf4c26bfcea866f310bc9b6b5be (diff) | |
download | samba-9e733924d9119a3a7a8b755557ffe458dda96d63.tar.gz samba-9e733924d9119a3a7a8b755557ffe458dda96d63.tar.bz2 samba-9e733924d9119a3a7a8b755557ffe458dda96d63.zip |
Arg. The fix for CVE-2007-6015 hadn't been merged into 3.2.
Do so now....
Jeremy.
(This used to be commit 6b1246c29a0241c8e4bb98d659d847d010826b36)
-rw-r--r-- | source3/libsmb/clidgram.c | 6 | ||||
-rw-r--r-- | source3/nmbd/nmbd_packets.c | 6 |
2 files changed, 12 insertions, 0 deletions
diff --git a/source3/libsmb/clidgram.c b/source3/libsmb/clidgram.c index 82f874f383..76630bd504 100644 --- a/source3/libsmb/clidgram.c +++ b/source3/libsmb/clidgram.c @@ -75,6 +75,12 @@ bool cli_send_mailslot(struct messaging_context *msg_ctx, /* Setup the smb part. */ ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */ memcpy(tmp,ptr,4); + + if (smb_size + 17*2 + strlen(mailslot) + 1 + len > MAX_DGRAM_SIZE) { + DEBUG(0, ("cli_send_mailslot: Cannot write beyond end of packet\n")); + return False; + } + set_message(ptr,17,strlen(mailslot) + 1 + len,True); memcpy(ptr,tmp,4); diff --git a/source3/nmbd/nmbd_packets.c b/source3/nmbd/nmbd_packets.c index b78ab5ba7e..349d36ce70 100644 --- a/source3/nmbd/nmbd_packets.c +++ b/source3/nmbd/nmbd_packets.c @@ -1918,6 +1918,12 @@ bool send_mailslot(bool unique, const char *mailslot,char *buf, size_t len, /* Setup the smb part. */ ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */ memcpy(tmp,ptr,4); + + if (smb_size + 17*2 + strlen(mailslot) + 1 + len > MAX_DGRAM_SIZE) { + DEBUG(0, ("send_mailslot: Cannot write beyond end of packet\n")); + return false; + } + set_message(ptr,17,strlen(mailslot) + 1 + len,True); memcpy(ptr,tmp,4); |