Attachment #137917 for bug #200773

View | Details | Raw Unified | Return to bug 200773
Collapse All | Expand All

Lines 72-77 BOOL cli_send_mailslot(BOOL unique, const char *mailslot, Link Here

(-)a/source/libsmb/clidgram.c (+6 lines)
72	/* Setup the smb part. */	72	/* Setup the smb part. */
73	ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */	73	ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */
74	memcpy(tmp,ptr,4);	74	memcpy(tmp,ptr,4);
		75
		76	if (smb_size + 17*2 + strlen(mailslot) + 1 + len > MAX_DGRAM_SIZE) {
		77	DEBUG(0, ("cli_send_mailslot: Cannot write beyond end of packet\n"));
		78	return False;
		79	}
		80
75	set_message(ptr,17,strlen(mailslot) + 1 + len,True);	81	set_message(ptr,17,strlen(mailslot) + 1 + len,True);
76	memcpy(ptr,tmp,4);	82	memcpy(ptr,tmp,4);
77		83
78	Fix from Volker for CVE-2007-6015 (send_mailslot() buffer overrun).	84	Fix from Volker for CVE-2007-6015 (send_mailslot() buffer overrun).

Lines 1892-1897 BOOL send_mailslot(BOOL unique, const char mailslot,char buf, size_t len, Link Here

(-)a/source/nmbd/nmbd_packets.c (+6 lines)
1892	/* Setup the smb part. */	1892	/* Setup the smb part. */
1893	ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */	1893	ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */
1894	memcpy(tmp,ptr,4);	1894	memcpy(tmp,ptr,4);
		1895
		1896	if (smb_size + 17*2 + strlen(mailslot) + 1 + len > MAX_DGRAM_SIZE) {
		1897	DEBUG(0, ("send_mailslot: Cannot write beyond end of packet\n"));
		1898	return False;
		1899	}
		1900
1895	set_message(ptr,17,strlen(mailslot) + 1 + len,True);	1901	set_message(ptr,17,strlen(mailslot) + 1 + len,True);
1896	memcpy(ptr,tmp,4);	1902	memcpy(ptr,tmp,4);
1897		1903

Return to bug 200773