r22852: merge fixes for CVE-2007-2446 and CVE-2007-2447 to all branches

(This used to be commit f65214be68c1a59d9598bfb9f3b19e71cc3fa07b)
author: Gerald Carter <jerry@samba.org> 2007-05-14 14:23:51 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 12:22:02 -0500
commit: d34f6bb969092166c961e328229b1b05a30f6930 (patch)
tree: 5cad4256a4dab7d6a7545188f877b7c78cf7c8f0 /source3/rpc_parse/parse_spoolss.c
parent: 00790cb8afaf768ba650ee40796ccdafc535ae8d (diff)
download: samba-d34f6bb969092166c961e328229b1b05a30f6930.tar.gz
samba-d34f6bb969092166c961e328229b1b05a30f6930.tar.bz2
samba-d34f6bb969092166c961e328229b1b05a30f6930.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/source3/rpc_parse/parse_spoolss.c b/source3/rpc_parse/parse_spoolss.c
index 98280ee844..936587fdf5 100644
--- a/source3/rpc_parse/parse_spoolss.c
+++ b/source3/rpc_parse/parse_spoolss.c
@@ -230,6 +230,10 @@ static BOOL smb_io_notify_option_type_data(const char *desc, SPOOL_NOTIFY_OPTION
 	if (type->count2 != type->count)
 		DEBUG(4,("What a mess, count was %x now is %x !\n", type->count, type->count2));
 
+	if (type->count2 > MAX_NOTIFY_TYPE_FOR_NOW) {
+		return False;
+	}
+
 	/* parse the option type data */
 	for(i=0;i<type->count2;i++)
 		if(!prs_uint16("fields",ps,depth,&type->fields[i]))
author	Gerald Carter <jerry@samba.org>	2007-05-14 14:23:51 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 12:22:02 -0500
commit	d34f6bb969092166c961e328229b1b05a30f6930 (patch)
tree	5cad4256a4dab7d6a7545188f877b7c78cf7c8f0 /source3/rpc_parse/parse_spoolss.c
parent	00790cb8afaf768ba650ee40796ccdafc535ae8d (diff)
download	samba-d34f6bb969092166c961e328229b1b05a30f6930.tar.gz samba-d34f6bb969092166c961e328229b1b05a30f6930.tar.bz2 samba-d34f6bb969092166c961e328229b1b05a30f6930.zip