Fix for CVE-2007-5398.
authorGerald (Jerry) Carter <jerry@samba.org>
Thu, 15 Nov 2007 02:51:14 +0000 (20:51 -0600)
committerGerald (Jerry) Carter <jerry@samba.org>
Thu, 15 Nov 2007 16:47:22 +0000 (10:47 -0600)
== Subject:     Remote code execution in Samba's WINS
==              server daemon (nmbd) when processing name
==              registration followed name query requests.
==
== CVE ID#:     CVE-2007-5398
==
== Versions:    Samba 3.0.0 - 3.0.26a (inclusive)
...
Secunia Research reported a vulnerability that allows for
the execution of arbitrary code in nmbd.  This defect may
only be exploited when the "wins support" parameter has
been enabled in smb.conf.

source/nmbd/nmbd_packets.c

index 87a38b9d2a161eca7003aaf4e619d4ce70f4f600..bbcc1ecb02a53ccab4f56ca197a801468cfed6be 100644 (file)
@@ -963,6 +963,12 @@ for id %hu\n", packet_type, nmb_namestr(&orig_nmb->question.question_name),
        nmb->answers->ttl      = ttl;
   
        if (data && len) {
+               if (len < 0 || len > sizeof(nmb->answers->rdata)) {
+                       DEBUG(5,("reply_netbios_packet: "
+                               "invalid packet len (%d)\n",
+                               len ));
+                       return;
+               }
                nmb->answers->rdlength = len;
                memcpy(nmb->answers->rdata, data, len);
        }