git.samba.org / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c459705)
Fix for CVE-2007-5398.
authorGerald (Jerry) Carter <jerry@samba.org>
Thu, 15 Nov 2007 02:51:14 +0000 (20:51 -0600)
committerGerald (Jerry) Carter <jerry@samba.org>
Thu, 15 Nov 2007 16:57:31 +0000 (10:57 -0600)
== Subject:     Remote code execution in Samba's WINS
==              server daemon (nmbd) when processing name
==              registration followed name query requests.
==
== CVE ID#:     CVE-2007-5398
==
== Versions:    Samba 3.0.0 - 3.0.26a (inclusive)
...
Secunia Research reported a vulnerability that allows for
the execution of arbitrary code in nmbd.  This defect may
only be exploited when the "wins support" parameter has
been enabled in smb.conf.
(This used to be commit e40c372e0ddf631dd9162c1fdfaaa49c29915f23)

source3/nmbd/nmbd_packets.c patch | blob | history

diff --git a/source3/nmbd/nmbd_packets.c b/source3/nmbd/nmbd_packets.c
index d49c8bab799318ed28f316a19ada9ae111ccdb9e..b78ab5ba7eb710f734c57d04253dc088a24c400e 100644 (file)
--- a/source3/nmbd/nmbd_packets.c
+++ b/source3/nmbd/nmbd_packets.c
@@ -970,6 +970,12 @@ for id %hu\n", packet_type, nmb_namestr(&orig_nmb->question.question_name),
        nmb->answers->ttl      = ttl;
 
        if (data && len) {
+               if (len < 0 || len > sizeof(nmb->answers->rdata)) {
+                       DEBUG(5,("reply_netbios_packet: "
+                               "invalid packet len (%d)\n",
+                               len ));
+                       return;
+               }
                nmb->answers->rdlength = len;
                memcpy(nmb->answers->rdata, data, len);
        }
Samba Shared Repository