Arg. The fix for CVE-2007-6015 hadn't been merged into 3.2.

Do so now.... Jeremy. (This used to be commit 6b1246c29a0241c8e4bb98d659d847d010826b36)
author: Jeremy Allison <jra@samba.org> 2007-12-13 16:44:24 -0800
committer: Jeremy Allison <jra@samba.org> 2007-12-13 16:44:24 -0800
commit: 9e733924d9119a3a7a8b755557ffe458dda96d63 (patch)
tree: 08bd0cf07dbffb2e4982a0c7638c9e19adf1d856 /source3/nmbd/nmbd_packets.c
parent: 733425f312729bf4c26bfcea866f310bc9b6b5be (diff)
download: samba-9e733924d9119a3a7a8b755557ffe458dda96d63.tar.gz
samba-9e733924d9119a3a7a8b755557ffe458dda96d63.tar.bz2
samba-9e733924d9119a3a7a8b755557ffe458dda96d63.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/source3/nmbd/nmbd_packets.c b/source3/nmbd/nmbd_packets.c
index b78ab5ba7e..349d36ce70 100644
--- a/source3/nmbd/nmbd_packets.c
+++ b/source3/nmbd/nmbd_packets.c
@@ -1918,6 +1918,12 @@ bool send_mailslot(bool unique, const char *mailslot,char *buf, size_t len,
 	/* Setup the smb part. */
 	ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */
 	memcpy(tmp,ptr,4);
+
+	if (smb_size + 17*2 + strlen(mailslot) + 1 + len > MAX_DGRAM_SIZE) {
+		DEBUG(0, ("send_mailslot: Cannot write beyond end of packet\n"));
+		return false;
+	}
+
 	set_message(ptr,17,strlen(mailslot) + 1 + len,True);
 	memcpy(ptr,tmp,4);
author	Jeremy Allison <jra@samba.org>	2007-12-13 16:44:24 -0800
committer	Jeremy Allison <jra@samba.org>	2007-12-13 16:44:24 -0800
commit	9e733924d9119a3a7a8b755557ffe458dda96d63 (patch)
tree	08bd0cf07dbffb2e4982a0c7638c9e19adf1d856 /source3/nmbd/nmbd_packets.c
parent	733425f312729bf4c26bfcea866f310bc9b6b5be (diff)
download	samba-9e733924d9119a3a7a8b755557ffe458dda96d63.tar.gz samba-9e733924d9119a3a7a8b755557ffe458dda96d63.tar.bz2 samba-9e733924d9119a3a7a8b755557ffe458dda96d63.zip