The branch, v3-2-test has been updated via e40c372e0ddf631dd9162c1fdfaaa49c29915f23 (commit) from 242fc0099cc81877d8e9630b46dfb8d4a3265d94 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test - Log ----------------------------------------------------------------- commit e40c372e0ddf631dd9162c1fdfaaa49c29915f23 Author: Gerald (Jerry) Carter <[EMAIL PROTECTED]> Date: Wed Nov 14 20:51:14 2007 -0600 Fix for CVE-2007-5398. == Subject: Remote code execution in Samba's WINS == server daemon (nmbd) when processing name == registration followed name query requests. == == CVE ID#: CVE-2007-5398 == == Versions: Samba 3.0.0 - 3.0.26a (inclusive) ... Secunia Research reported a vulnerability that allows for the execution of arbitrary code in nmbd. This defect may only be exploited when the "wins support" parameter has been enabled in smb.conf. ----------------------------------------------------------------------- Summary of changes: source/nmbd/nmbd_packets.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c index d49c8ba..b78ab5b 100644 --- a/source/nmbd/nmbd_packets.c +++ b/source/nmbd/nmbd_packets.c @@ -970,6 +970,12 @@ for id %hu\n", packet_type, nmb_namestr(&orig_nmb->question.question_name), nmb->answers->ttl = ttl; if (data && len) { + if (len < 0 || len > sizeof(nmb->answers->rdata)) { + DEBUG(5,("reply_netbios_packet: " + "invalid packet len (%d)\n", + len )); + return; + } nmb->answers->rdlength = len; memcpy(nmb->answers->rdata, data, len); } -- Samba Shared Repository