CVE-2007-6015-nmbd-send-send-mailslot-vulnerability [plain text]
Index: samba/source/nmbd/nmbd_packets.c
===================================================================
--- samba/source/nmbd/nmbd_packets.c.orig
+++ samba/source/nmbd/nmbd_packets.c
@@ -1892,6 +1892,12 @@ BOOL send_mailslot(BOOL unique, const ch
/* Setup the smb part. */
ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */
memcpy(tmp,ptr,4);
+
+ if (smb_size + 17*2 + strlen(mailslot) + 1 + len > MAX_DGRAM_SIZE) {
+ DEBUG(0, ("send_mailslot: Cannot write beyond end of packet\n"));
+ return False;
+ }
+
set_message(ptr,17,strlen(mailslot) + 1 + len,True);
memcpy(ptr,tmp,4);
Index: samba/source/libsmb/clidgram.c
===================================================================
--- samba/source/libsmb/clidgram.c.orig
+++ samba/source/libsmb/clidgram.c
@@ -72,6 +72,12 @@ BOOL cli_send_mailslot(BOOL unique, cons
/* Setup the smb part. */
ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */
memcpy(tmp,ptr,4);
+
+ if (smb_size + 17*2 + strlen(mailslot) + 1 + len > MAX_DGRAM_SIZE) {
+ DEBUG(0, ("cli_send_mailslot: Cannot write beyond end of packet\n"));
+ return False;
+ }
+
set_message(ptr,17,strlen(mailslot) + 1 + len,True);
memcpy(ptr,tmp,4);