From 9e733924d9119a3a7a8b755557ffe458dda96d63 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 13 Dec 2007 16:44:24 -0800
Subject: Arg. The fix for CVE-2007-6015 hadn't been merged into 3.2. Do so
 now.... Jeremy. (This used to be commit
 6b1246c29a0241c8e4bb98d659d847d010826b36)

---
 source3/libsmb/clidgram.c   | 6 ++++++
 source3/nmbd/nmbd_packets.c | 6 ++++++
 2 files changed, 12 insertions(+)

(limited to 'source3')

diff --git a/source3/libsmb/clidgram.c b/source3/libsmb/clidgram.c
index 82f874f383..76630bd504 100644
--- a/source3/libsmb/clidgram.c
+++ b/source3/libsmb/clidgram.c
@@ -75,6 +75,12 @@ bool cli_send_mailslot(struct messaging_context *msg_ctx,
 	/* Setup the smb part. */
 	ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */
 	memcpy(tmp,ptr,4);
+
+	if (smb_size + 17*2 + strlen(mailslot) + 1 + len > MAX_DGRAM_SIZE) {
+		DEBUG(0, ("cli_send_mailslot: Cannot write beyond end of packet\n"));
+		return False;
+	}
+
 	set_message(ptr,17,strlen(mailslot) + 1 + len,True);
 	memcpy(ptr,tmp,4);
 
diff --git a/source3/nmbd/nmbd_packets.c b/source3/nmbd/nmbd_packets.c
index b78ab5ba7e..349d36ce70 100644
--- a/source3/nmbd/nmbd_packets.c
+++ b/source3/nmbd/nmbd_packets.c
@@ -1918,6 +1918,12 @@ bool send_mailslot(bool unique, const char *mailslot,char *buf, size_t len,
 	/* Setup the smb part. */
 	ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */
 	memcpy(tmp,ptr,4);
+
+	if (smb_size + 17*2 + strlen(mailslot) + 1 + len > MAX_DGRAM_SIZE) {
+		DEBUG(0, ("send_mailslot: Cannot write beyond end of packet\n"));
+		return false;
+	}
+
 	set_message(ptr,17,strlen(mailslot) + 1 + len,True);
 	memcpy(ptr,tmp,4);
 
-- 
cgit