git.samba.org / tprouty / samba.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fix for CVE-2007-5398.
[tprouty/samba.git] / source / nmbd / nmbd_packets.c
diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c
index 89362392fe7f7e92d17aad597f81e6eb77d8408e..bbcc1ecb02a53ccab4f56ca197a801468cfed6be 100644 (file)
--- a/source/nmbd/nmbd_packets.c
+++ b/source/nmbd/nmbd_packets.c
@@ -963,6 +963,12 @@ for id %hu\n", packet_type, nmb_namestr(&orig_nmb->question.question_name),
        nmb->answers->ttl      = ttl;
   
        if (data && len) {
+               if (len < 0 || len > sizeof(nmb->answers->rdata)) {
+                       DEBUG(5,("reply_netbios_packet: "
+                               "invalid packet len (%d)\n",
+                               len ));
+                       return;
+               }
                nmb->answers->rdlength = len;
                memcpy(nmb->answers->rdata, data, len);
        }
@@ -1153,10 +1159,10 @@ mismatch with our scope (%s).\n", inet_ntoa(p->ip), scope, global_scope()));
        switch (command) {
                case ANN_HostAnnouncement:
                        debug_browse_data(buf, len);
-                       process_lm_host_announce(subrec, p, buf+1);
+                       process_lm_host_announce(subrec, p, buf+1, len > 1 ? len-1 : 0);
                        break;
                case ANN_AnnouncementRequest:
-                       process_lm_announce_request(subrec, p, buf+1);
+                       process_lm_announce_request(subrec, p, buf+1, len > 1 ? len-1 : 0);
                        break;
                default:
                        DEBUG(0,("process_lanman_packet: On subnet %s ignoring browse packet \
@@ -1899,7 +1905,7 @@ BOOL send_mailslot(BOOL unique, const char *mailslot,char *buf, size_t len,
        SSVAL(ptr,smb_vwv16,2);
        p2 = smb_buf(ptr);
        safe_strcpy_base(p2, mailslot, dgram->data, sizeof(dgram->data));
-       p2 = skip_string(p2,1);
+       p2 = skip_string(ptr,MAX_DGRAM_SIZE,p2);
   
        if (((p2+len) > dgram->data+sizeof(dgram->data)) || ((p2+len) < p2)) {
                DEBUG(0, ("send_mailslot: Cannot write beyond end of packet\n"));
My public samba repository