net-fs/samba/files/3.0.26a-CVE-2007-5398.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

commit 089a51061b1be809f278ab4e9a741d0a44e52750
Author: Gerald (Jerry) Carter <jerry@samba.org>
Date:   Wed Nov 14 20:51:14 2007 -0600

    Fix for CVE-2007-5398.
    
    == Subject:     Remote code execution in Samba's WINS
    ==              server daemon (nmbd) when processing name
    ==              registration followed name query requests.
    ==
    == CVE ID#:     CVE-2007-5398
    ==
    == Versions:    Samba 3.0.0 - 3.0.26a (inclusive)
    ...
    Secunia Research reported a vulnerability that allows for
    the execution of arbitrary code in nmbd.  This defect may
    only be exploited when the "wins support" parameter has
    been enabled in smb.conf.

diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c
index 87a38b9..bbcc1ec 100644
--- a/source/nmbd/nmbd_packets.c
+++ b/source/nmbd/nmbd_packets.c
@@ -963,6 +963,12 @@ for id %hu\n", packet_type, nmb_namestr(&orig_nmb->question.question_name),
 	nmb->answers->ttl      = ttl;
   
 	if (data && len) {
+		if (len < 0 || len > sizeof(nmb->answers->rdata)) {
+			DEBUG(5,("reply_netbios_packet: "
+				"invalid packet len (%d)\n",
+				len ));
+			return;
+		}
 		nmb->answers->rdlength = len;
 		memcpy(nmb->answers->rdata, data, len);
 	}