ohnobinki_overlay Files · net-fs/samba-tng/files/0.4.99/07_all_CVE-2007-6015.diff

Files @ 3353ad542e61

Branch filter:

Location: ohnobinki_overlay/net-fs/samba-tng/files/0.4.99/07_all_CVE-2007-6015.diff - annotation

3353ad542e61 3.3 KiB text/x-diff Show Source Show as Raw Download as Raw

binki

Bumped to live-2010.04.09, attempting to follow changes for the corresponding bump in portage. Need for bump reported by geos_one.
(Portage version: 2.2_rc67-r8/hg/Linux x86_64)
(Signed Manifest commit)

5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73
5a1af5749a73

Index: lib/util.c
===================================================================
RCS file: /work/cvs/tng/source/lib/util.c,v
retrieving revision 1.66
diff -u -p -r1.66 util.c
--- lib/util.c	3 Sep 2007 20:52:56 -0000	1.66
+++ lib/util.c	12 Dec 2007 23:02:28 -0000
@@ -364,10 +364,12 @@ void smb_setlen(char *buf, int len)
 	SCVAL(buf,7,'B');
 }
 
-/*******************************************************************
-  setup the word count and byte count for a smb message
-********************************************************************/
-int set_message(char *buf, int num_words, int num_bytes, BOOL zero)
+/**
+ * setup the word count and byte count for a smb message
+ *
+ * Returns: size of packet excluding size part itself
+ */
+size_t set_message(char *buf, unsigned char num_words, size_t num_bytes, BOOL zero)
 {
 	if (zero)
 		memset(buf + smb_size, '\0', num_words * 2 + num_bytes);
Index: libsmb/namequery.c
===================================================================
RCS file: /work/cvs/tng/source/libsmb/namequery.c,v
retrieving revision 1.19
diff -u -p -r1.19 namequery.c
--- libsmb/namequery.c	17 Jul 2006 20:24:01 -0000	1.19
+++ libsmb/namequery.c	12 Dec 2007 23:02:28 -0000
@@ -871,6 +871,7 @@ BOOL lookup_pdc_name(const char *srcname
 	char *ptr,*p2;
 	char tmp[4];
 	int len;
+	size_t full_len;
 	struct sockaddr_in sock_name;
 	socklen_t sock_len = sizeof(sock_name);
 	const char *mailslot = NET_LOGON_MAILSLOT;
@@ -933,9 +934,15 @@ BOOL lookup_pdc_name(const char *srcname
 	/* Setup the smb part. */
 	ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */
 	memcpy(tmp,ptr,4);
-	set_message(ptr,17,17 + len,True);
+	full_len = set_message(ptr, 17, strlen(mailslot) + 1 + len, False);
 	memcpy(ptr,tmp,4);
 
+	if (full_len > MAX_DGRAM_SIZE)
+	{
+		DEBUG(0, ("%s: Possible bufferoverflow, erroring out\n", __func__));
+		return False;
+	}
+
 	CVAL(ptr,smb_com) = SMBtrans;
 	SSVAL(ptr,smb_vwv1,len);
 	SSVAL(ptr,smb_vwv11,len);
Index: nmbd/nmbd_packets.c
===================================================================
RCS file: /work/cvs/tng/source/nmbd/nmbd_packets.c,v
retrieving revision 1.18
diff -u -p -r1.18 nmbd_packets.c
--- nmbd/nmbd_packets.c	4 Dec 2007 12:57:32 -0000	1.18
+++ nmbd/nmbd_packets.c	12 Dec 2007 23:02:28 -0000
@@ -1926,6 +1926,7 @@ BOOL send_mailslot(BOOL unique, const ch
   BOOL loopback_this_packet = False;
   struct packet_struct p;
   struct dgram_packet *dgram = &p.packet.dgram;
+  size_t full_len;
   char *ptr,*p2;
   char tmp[4];
 
@@ -1955,9 +1956,15 @@ BOOL send_mailslot(BOOL unique, const ch
   /* Setup the smb part. */
   ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */
   memcpy(tmp,ptr,4);
-  set_message(ptr,17,17 + len,True);
+  full_len = set_message(ptr, 17, strlen(mailslot) + 1 + len, False);
   memcpy(ptr,tmp,4);
 
+  if (full_len > MAX_DGRAM_SIZE)
+  {
+    DEBUG(0, ("%s: Possible bufferoverflow, erroring out\n", __func__));
+    return False;
+  }
+
   SCVAL(ptr,smb_com,SMBtrans);
   SSVAL(ptr,smb_vwv1,len);
   SSVAL(ptr,smb_vwv11,len);
@@ -1969,12 +1976,6 @@ BOOL send_mailslot(BOOL unique, const ch
   p2 = smb_buf(ptr);
   pstrcpy(p2,mailslot);
   p2 = skip_string(p2,1);
-
-  if (len > (MAX_DGRAM_SIZE - PTR_DIFF(p2, dgram->data)))
-  {
-    DEBUG(0, ("%s: Possible bufferoverflow, erroring out\n", __func__));
-    return False;
-  }
   memcpy(p2, buf, len);
   p2 += len;