diff options
author | Gerald (Jerry) Carter <jerry@samba.org> | 2007-11-14 20:51:14 -0600 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-11-14 20:51:14 -0600 |
commit | 089a51061b1be809f278ab4e9a741d0a44e52750 (patch) | |
tree | f2188f660a1c3ef2600a2ca4591947b3886cce56 | |
parent | 0d6560c568027ffd9899bc2dcada3ae69ec7d1a2 (diff) | |
download | samba-089a51061b1be809f278ab4e9a741d0a44e52750.tar.gz samba-089a51061b1be809f278ab4e9a741d0a44e52750.tar.xz samba-089a51061b1be809f278ab4e9a741d0a44e52750.zip |
Fix for CVE-2007-5398.
== Subject: Remote code execution in Samba's WINS
== server daemon (nmbd) when processing name
== registration followed name query requests.
==
== CVE ID#: CVE-2007-5398
==
== Versions: Samba 3.0.0 - 3.0.26a (inclusive)
...
Secunia Research reported a vulnerability that allows for
the execution of arbitrary code in nmbd. This defect may
only be exploited when the "wins support" parameter has
been enabled in smb.conf.
-rw-r--r-- | source/nmbd/nmbd_packets.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c index 87a38b9d2a1..bbcc1ecb02a 100644 --- a/source/nmbd/nmbd_packets.c +++ b/source/nmbd/nmbd_packets.c @@ -963,6 +963,12 @@ for id %hu\n", packet_type, nmb_namestr(&orig_nmb->question.question_name), nmb->answers->ttl = ttl; if (data && len) { + if (len < 0 || len > sizeof(nmb->answers->rdata)) { + DEBUG(5,("reply_netbios_packet: " + "invalid packet len (%d)\n", + len )); + return; + } nmb->answers->rdlength = len; memcpy(nmb->answers->rdata, data, len); } |