nmbd would core dump if a large number of netbios aliases is set. The

problem was a buffer overflow in process_node_status_request(). this really points out a general problem is allocating MAX_DGRAM_SIZE packets on the stack in nmbd. There must be a better way.
author: Andrew Tridgell <tridge@samba.org> 1998-08-28 14:35:24 +0000
committer: Andrew Tridgell <tridge@samba.org> 1998-08-28 14:35:24 +0000
commit: 7db45f169c33e0f3a67ba2260049226992de8bdf (patch)
tree: 5fa2168d7cf87e4891d3aa4816091114d54e3c6a
parent: d6a9087e7e626e6e07503dba38854b136fe70c23 (diff)
download: samba-7db45f169c33e0f3a67ba2260049226992de8bdf.tar.gz
samba-7db45f169c33e0f3a67ba2260049226992de8bdf.tar.xz
samba-7db45f169c33e0f3a67ba2260049226992de8bdf.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/source/nmbd/nmbd_incomingrequests.c b/source/nmbd/nmbd_incomingrequests.c
index 3c9438ace35..a3afbe827a2 100644
--- a/source/nmbd/nmbd_incomingrequests.c
+++ b/source/nmbd/nmbd_incomingrequests.c
@@ -341,8 +341,9 @@ subnet %s - name not found.\n", namestr(&nmb->question.question_name),
     return;
   }
  
-  /* XXXX hack, we should calculate exactly how many will fit. */
-  bufend = &rdata[MAX_DGRAM_SIZE] - 18;
+  /* this is not an exact calculation. the 46 is for the stats buffer
+     and the 60 is to leave room for the header etc */
+  bufend = &rdata[MAX_DGRAM_SIZE] - (18 + 46 + 60);
   countptr = buf = rdata;
   buf += 1;
   buf0 = buf;
author	Andrew Tridgell <tridge@samba.org>	1998-08-28 14:35:24 +0000
committer	Andrew Tridgell <tridge@samba.org>	1998-08-28 14:35:24 +0000
commit	7db45f169c33e0f3a67ba2260049226992de8bdf (patch)
tree	5fa2168d7cf87e4891d3aa4816091114d54e3c6a
parent	d6a9087e7e626e6e07503dba38854b136fe70c23 (diff)
download	samba-7db45f169c33e0f3a67ba2260049226992de8bdf.tar.gz samba-7db45f169c33e0f3a67ba2260049226992de8bdf.tar.xz samba-7db45f169c33e0f3a67ba2260049226992de8bdf.zip