Fix for CVE-2007-5398.

== Subject: Remote code execution in Samba's WINS == server daemon (nmbd) when processing name == registration followed name query requests. == == CVE ID#: CVE-2007-5398 == == Versions: Samba 3.0.0 - 3.0.26a (inclusive) ... Secunia Research reported a vulnerability that allows for the execution of arbitrary code in nmbd. This defect may only be exploited when the "wins support" parameter has been enabled in smb.conf.
author: Gerald (Jerry) Carter <jerry@samba.org> 2007-11-14 20:51:14 -0600
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-11-14 20:51:14 -0600
commit: 089a51061b1be809f278ab4e9a741d0a44e52750 (patch)
tree: f2188f660a1c3ef2600a2ca4591947b3886cce56
parent: 0d6560c568027ffd9899bc2dcada3ae69ec7d1a2 (diff)
download: samba-089a51061b1be809f278ab4e9a741d0a44e52750.tar.gz
samba-089a51061b1be809f278ab4e9a741d0a44e52750.tar.xz
samba-089a51061b1be809f278ab4e9a741d0a44e52750.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c
index 87a38b9d2a1..bbcc1ecb02a 100644
--- a/source/nmbd/nmbd_packets.c
+++ b/source/nmbd/nmbd_packets.c
@@ -963,6 +963,12 @@ for id %hu\n", packet_type, nmb_namestr(&orig_nmb->question.question_name),
 	nmb->answers->ttl      = ttl;
   
 	if (data && len) {
+		if (len < 0 || len > sizeof(nmb->answers->rdata)) {
+			DEBUG(5,("reply_netbios_packet: "
+				"invalid packet len (%d)\n",
+				len ));
+			return;
+		}
 		nmb->answers->rdlength = len;
 		memcpy(nmb->answers->rdata, data, len);
 	}
author	Gerald (Jerry) Carter <jerry@samba.org>	2007-11-14 20:51:14 -0600
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-11-14 20:51:14 -0600
commit	089a51061b1be809f278ab4e9a741d0a44e52750 (patch)
tree	f2188f660a1c3ef2600a2ca4591947b3886cce56
parent	0d6560c568027ffd9899bc2dcada3ae69ec7d1a2 (diff)
download	samba-089a51061b1be809f278ab4e9a741d0a44e52750.tar.gz samba-089a51061b1be809f278ab4e9a741d0a44e52750.tar.xz samba-089a51061b1be809f278ab4e9a741d0a44e52750.zip