summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGerald (Jerry) Carter <jerry@samba.org>2007-11-14 20:51:14 -0600
committerGerald (Jerry) Carter <jerry@samba.org>2007-11-15 10:57:31 -0600
commitd41713b10770765cd0b30f8b5c8d6bddad4de2d6 (patch)
treec48464c4104ff626aef126982d50f43f281d36d6
parentc45970529c2dde29db94214bc4af1e4bbc050d40 (diff)
downloadsamba-d41713b10770765cd0b30f8b5c8d6bddad4de2d6.tar.gz
samba-d41713b10770765cd0b30f8b5c8d6bddad4de2d6.tar.bz2
samba-d41713b10770765cd0b30f8b5c8d6bddad4de2d6.zip
Fix for CVE-2007-5398.
== Subject: Remote code execution in Samba's WINS == server daemon (nmbd) when processing name == registration followed name query requests. == == CVE ID#: CVE-2007-5398 == == Versions: Samba 3.0.0 - 3.0.26a (inclusive) ... Secunia Research reported a vulnerability that allows for the execution of arbitrary code in nmbd. This defect may only be exploited when the "wins support" parameter has been enabled in smb.conf. (This used to be commit e40c372e0ddf631dd9162c1fdfaaa49c29915f23)
-rw-r--r--source3/nmbd/nmbd_packets.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/source3/nmbd/nmbd_packets.c b/source3/nmbd/nmbd_packets.c
index d49c8bab79..b78ab5ba7e 100644
--- a/source3/nmbd/nmbd_packets.c
+++ b/source3/nmbd/nmbd_packets.c
@@ -970,6 +970,12 @@ for id %hu\n", packet_type, nmb_namestr(&orig_nmb->question.question_name),
nmb->answers->ttl = ttl;
if (data && len) {
+ if (len < 0 || len > sizeof(nmb->answers->rdata)) {
+ DEBUG(5,("reply_netbios_packet: "
+ "invalid packet len (%d)\n",
+ len ));
+ return;
+ }
nmb->answers->rdlength = len;
memcpy(nmb->answers->rdata, data, len);
}