Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 137917 Details for
Bug 200773
net-fs/samba < 3.0.28 send_mailslot() "SAMLOGON" Buffer overflow (CVE-2007-6015)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
CVE-2007-0615.patch
CVE-2007-0615.patch (text/plain), 1.70 KB, created by
Robert Buchholz (RETIRED)
on 2007-12-06 23:40:55 UTC
(
hide
)
Description:
CVE-2007-0615.patch
Filename:
MIME Type:
Creator:
Robert Buchholz (RETIRED)
Created:
2007-12-06 23:40:55 UTC
Size:
1.70 KB
patch
obsolete
>commit b14aa30006033d9dbaa8120bc419406535d620b8 >Author: Gerald (Jerry) Carter <jerry@samba.org> >Date: Thu Dec 6 14:46:06 2007 -0600 > > Fix from Jeremy for CVE-2007-6015 (send_mailslot() buffer overrun). > > This one fixes cli_send_mailslot() which could be called from the > nmbd server code. > >diff --git a/source/libsmb/clidgram.c b/source/libsmb/clidgram.c >index 83ea81d..548ace6 100644 >--- a/source/libsmb/clidgram.c >+++ b/source/libsmb/clidgram.c >@@ -72,6 +72,12 @@ BOOL cli_send_mailslot(BOOL unique, const char *mailslot, > /* Setup the smb part. */ > ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */ > memcpy(tmp,ptr,4); >+ >+ if (smb_size + 17*2 + strlen(mailslot) + 1 + len > MAX_DGRAM_SIZE) { >+ DEBUG(0, ("cli_send_mailslot: Cannot write beyond end of packet\n")); >+ return False; >+ } >+ > set_message(ptr,17,strlen(mailslot) + 1 + len,True); > memcpy(ptr,tmp,4); > >commit 6a9610ba27f802136f1ca8a94816d552df17a166 >Author: Gerald (Jerry) Carter <jerry@samba.org> >Date: Thu Dec 6 14:45:13 2007 -0600 > > Fix from Volker for CVE-2007-6015 (send_mailslot() buffer overrun). > >diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c >index bbcc1ec..1460f7d 100644 >--- a/source/nmbd/nmbd_packets.c >+++ b/source/nmbd/nmbd_packets.c >@@ -1892,6 +1892,12 @@ BOOL send_mailslot(BOOL unique, const char *mailslot,char *buf, size_t len, > /* Setup the smb part. */ > ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */ > memcpy(tmp,ptr,4); >+ >+ if (smb_size + 17*2 + strlen(mailslot) + 1 + len > MAX_DGRAM_SIZE) { >+ DEBUG(0, ("send_mailslot: Cannot write beyond end of packet\n")); >+ return False; >+ } >+ > set_message(ptr,17,strlen(mailslot) + 1 + len,True); > memcpy(ptr,tmp,4); >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 200773
: 137917 |
137995