Fix from Jeremy for CVE-2007-6015 (send_mailslot() buffer overrun).

author Gerald (Jerry) Carter <jerry@samba.org>

Thu, 6 Dec 2007 20:46:06 +0000 (14:46 -0600)

committer Gerald (Jerry) Carter <jerry@samba.org>

Thu, 6 Dec 2007 20:46:06 +0000 (14:46 -0600)
author Gerald (Jerry) Carter <jerry@samba.org>
Thu, 6 Dec 2007 20:46:06 +0000 (14:46 -0600)
committer Gerald (Jerry) Carter <jerry@samba.org>
Thu, 6 Dec 2007 20:46:06 +0000 (14:46 -0600)
diff --git a/source/libsmb/clidgram.c b/source/libsmb/clidgram.c

index 83ea81ddf1e86748037f4d700844dd6715a39a6e..548ace6d9e5f08e1387e99ea83700ea25bc4df80 100644 (file)
--- a/source/libsmb/clidgram.c
+++ b/source/libsmb/clidgram.c
@@ -72,6 +72,12 @@ BOOL cli_send_mailslot(BOOL unique, const char *mailslot,
         /* Setup the smb part. */
         ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */
         memcpy(tmp,ptr,4);
+
+       if (smb_size + 17*2 + strlen(mailslot) + 1 + len > MAX_DGRAM_SIZE) {
+               DEBUG(0, ("cli_send_mailslot: Cannot write beyond end of packet\n"));
+               return False;
+       }
+
         set_message(ptr,17,strlen(mailslot) + 1 + len,True);
         memcpy(ptr,tmp,4);
author	Gerald (Jerry) Carter <jerry@samba.org>
	Thu, 6 Dec 2007 20:46:06 +0000 (14:46 -0600)
committer	Gerald (Jerry) Carter <jerry@samba.org>
	Thu, 6 Dec 2007 20:46:06 +0000 (14:46 -0600)