git.samba.org
/
tprouty
/
samba.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
6a9610b
)
Fix from Jeremy for CVE-2007-6015 (send_mailslot() buffer overrun).
author
Gerald (Jerry) Carter
<jerry@samba.org>
Thu, 6 Dec 2007 20:46:06 +0000
(14:46 -0600)
committer
Gerald (Jerry) Carter
<jerry@samba.org>
Thu, 6 Dec 2007 20:46:06 +0000
(14:46 -0600)
This one fixes cli_send_mailslot() which could be called from the
nmbd server code.
source/libsmb/clidgram.c
patch
|
blob
|
history
diff --git
a/source/libsmb/clidgram.c
b/source/libsmb/clidgram.c
index 83ea81ddf1e86748037f4d700844dd6715a39a6e..548ace6d9e5f08e1387e99ea83700ea25bc4df80 100644
(file)
--- a/
source/libsmb/clidgram.c
+++ b/
source/libsmb/clidgram.c
@@
-72,6
+72,12
@@
BOOL cli_send_mailslot(BOOL unique, const char *mailslot,
/* Setup the smb part. */
ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */
memcpy(tmp,ptr,4);
+
+ if (smb_size + 17*2 + strlen(mailslot) + 1 + len > MAX_DGRAM_SIZE) {
+ DEBUG(0, ("cli_send_mailslot: Cannot write beyond end of packet\n"));
+ return False;
+ }
+
set_message(ptr,17,strlen(mailslot) + 1 + len,True);
memcpy(ptr,tmp,4);