CVE-2007-6015-nmbd-send-send-mailslot-vulnerability   [plain text]

Index: samba/source/nmbd/nmbd_packets.c
===================================================================
--- samba/source/nmbd/nmbd_packets.c.orig
+++ samba/source/nmbd/nmbd_packets.c
@@ -1892,6 +1892,12 @@ BOOL send_mailslot(BOOL unique, const ch
 	/* Setup the smb part. */
 	ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */
 	memcpy(tmp,ptr,4);
+
+	if (smb_size + 17*2 + strlen(mailslot) + 1 + len > MAX_DGRAM_SIZE) {
+		DEBUG(0, ("send_mailslot: Cannot write beyond end of packet\n"));
+		return False;
+	}
+
 	set_message(ptr,17,strlen(mailslot) + 1 + len,True);
 	memcpy(ptr,tmp,4);
 
Index: samba/source/libsmb/clidgram.c
===================================================================
--- samba/source/libsmb/clidgram.c.orig
+++ samba/source/libsmb/clidgram.c
@@ -72,6 +72,12 @@ BOOL cli_send_mailslot(BOOL unique, cons
 	/* Setup the smb part. */
 	ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */
 	memcpy(tmp,ptr,4);
+
+	if (smb_size + 17*2 + strlen(mailslot) + 1 + len > MAX_DGRAM_SIZE) {
+	    DEBUG(0, ("cli_send_mailslot: Cannot write beyond end of packet\n"));
+	    return False;
+	}
+
 	set_message(ptr,17,strlen(mailslot) + 1 + len,True);
 	memcpy(ptr,tmp,4);