Files
@ 8d5e21250f5e
Branch filter:
Location: ohnobinki_overlay/net-fs/samba-tng/files/0.4.99/06_all_CVE-2007-4572.diff - annotation
8d5e21250f5e
6.2 KiB
text/x-diff
www-apps/flyspray: Added missing closing parantheses
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 | 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 5a1af5749a73 | Index: nmbd/nmbd_packets.c
===================================================================
RCS file: /work/cvs/tng/source/nmbd/nmbd_packets.c,v
retrieving revision 1.17
diff -u -p -r1.17 nmbd_packets.c
--- nmbd/nmbd_packets.c 24 Nov 2007 20:45:55 -0000 1.17
+++ nmbd/nmbd_packets.c 2 Dec 2007 22:13:49 -0000
@@ -1916,7 +1916,8 @@ BOOL listen_for_packets(BOOL run_electio
/****************************************************************************
Construct and send a netbios DGRAM.
**************************************************************************/
-BOOL send_mailslot(BOOL unique, char *mailslot,char *buf,int len,
+BOOL send_mailslot(BOOL unique, const char *mailslot,
+ const char *buf, size_t len,
char *srcname, int src_type,
char *dstname, int dest_type,
struct in_addr dest_ip,struct in_addr src_ip,
@@ -1969,7 +1970,12 @@ BOOL send_mailslot(BOOL unique, char *ma
pstrcpy(p2,mailslot);
p2 = skip_string(p2,1);
- memcpy(p2,buf,len);
+ if (len > (MAX_DGRAM_SIZE - PTR_DIFF(p2, dgram->data)))
+ {
+ DEBUG(0, ("%s: Possible bufferoverflow, erroring out\n", __func__));
+ return False;
+ }
+ memcpy(p2, buf, len);
p2 += len;
dgram->datasize = PTR_DIFF(p2,ptr+4); /* +4 for tcp length. */
Index: nmbd/nmbd_processlogon.c
===================================================================
RCS file: /work/cvs/tng/source/nmbd/nmbd_processlogon.c,v
retrieving revision 1.12
diff -u -p -r1.12 nmbd_processlogon.c
--- nmbd/nmbd_processlogon.c 8 Feb 2005 10:52:37 -0000 1.12
+++ nmbd/nmbd_processlogon.c 2 Dec 2007 22:18:05 -0000
@@ -28,9 +28,15 @@
#include "includes.h"
#include "libsamba.h"
#include "byteorder.h"
+#include "tng_misc.h"
#include "nmbd.h"
+#define SIZE_NOSPACELEFT(buffer, buffersize, pointer, needed) \
+ (((const char *) (pointer)) \
+ >= (((const char *) (buffer)) + buffersize - needed))
+
+
/****************************************************************************
Send a message to smbd to do a sam delta sync
**************************************************************************/
@@ -46,8 +52,8 @@ static void send_repl_message(uint32 low
Process a domain logon packet
**************************************************************************/
-void process_logon_packet(struct packet_struct *p,char *buf,int len,
- char *mailslot)
+void process_logon_packet(struct packet_struct *p, char *buf, size_t len,
+ const char *mailslot)
{
struct dgram_packet *dgram = &p->packet.dgram;
pstring my_name;
@@ -94,8 +100,6 @@ logons are not enabled.\n", inet_ntoa(p-
q = skip_string(getdc,1);
token = SVAL(q,3);
- fstrcpy(reply_name,my_name);
-
DEBUG(3,("process_logon_packet: Domain login request from %s at IP %s user=%s token=%x\n",
machine,inet_ntoa(p->ip),user,token));
@@ -105,7 +109,8 @@ logons are not enabled.\n", inet_ntoa(p-
fstrcpy(reply_name, "\\\\");
fstrcat(reply_name, my_name);
- fstrcpy(q, reply_name); q = skip_string(q, 1); /* PDC name */
+ q += safe_strcpy(q, reply_name, sizeof(outbuf) - 2 - PTR_DIFF(q, outbuf))
+ + 1;
SSVAL(q, 0, token);
q += 2;
@@ -154,7 +159,7 @@ logons are not enabled.\n", inet_ntoa(p-
get additional data - a length specificed string
containing the domain name, then 16 bytes of
data (no idea what it is) */
- int dom_len = CVAL(q, 0);
+ int dom_len = CVALCONST(q, 0);
q++;
if (dom_len != 0) {
q += dom_len + 1;
@@ -172,17 +177,21 @@ logons are not enabled.\n", inet_ntoa(p-
q += 2;
fstrcpy(reply_name,my_name);
- fstrcpy(q, reply_name);
- q = skip_string(q, 1); /* PDC name */
+ q += safe_strcpy(q, reply_name, sizeof(outbuf) - 2 - PTR_DIFF(q, outbuf))
+ + 1;
/* PDC and domain name */
if (!short_request) /* Make a full reply */
{
q = ALIGN2(q, outbuf);
- q += dos_PutUniCode(q, my_name, sizeof(pstring), True); /* PDC name */
- q += dos_PutUniCode(q, global_myworkgroup,sizeof(pstring), True); /* Domain name*/
+ q += dos_PutUniCode(q, my_name,
+ sizeof(outbuf) - PTR_DIFF(q, outbuf), True); /* PDC name */
+ q += dos_PutUniCode(q, global_myworkgroup,
+ sizeof(outbuf) - PTR_DIFF(q, outbuf), True); /* Domain name*/
+ if (SIZE_NOSPACELEFT(outbuf, sizeof(outbuf), q, 8))
+ return;
SIVAL(q, 0, 1); /* our nt version */
SSVAL(q, 4, 0xffff); /* our lmnttoken */
SSVAL(q, 6, 0xffff); /* our lm20token */
@@ -236,11 +245,11 @@ reporting %s domain %s 0x%x ntversion=%x
get additional data - a length specificed string
containing the domain name, then 16 bytes of
data (no idea what it is) */
- int dom_len = CVAL(q, 0);
+ int dom_len = CVALCONST(q, 0);
q++;
- if (dom_len < (len - PTR_DIFF(q, buf)) && (dom_len != 0)) {
+ if (dom_len < (len - PTR_DIFF(q, buf))
+ && (dom_len != 0))
q += dom_len + 1;
- }
q += 16;
}
@@ -278,10 +287,15 @@ reporting %s domain %s 0x%x ntversion=%x
}
q += 2;
- q += dos_PutUniCode(q, reply_name,sizeof(pstring), True);
- q += dos_PutUniCode(q, ascuser, sizeof(pstring), True);
- q += dos_PutUniCode(q, global_myworkgroup,sizeof(pstring), True);
+ q += dos_PutUniCode(q, reply_name,
+ sizeof(outbuf) - PTR_DIFF(q, outbuf), True);
+ q += dos_PutUniCode(q, ascuser,
+ sizeof(outbuf) - PTR_DIFF(q, outbuf), True);
+ q += dos_PutUniCode(q, global_myworkgroup,
+ sizeof(outbuf) - PTR_DIFF(q, outbuf), True);
+ if (SIZE_NOSPACELEFT(outbuf, sizeof(outbuf), q, 8))
+ return;
/* tell the client what version we are */
SIVAL(q, 0, 1); /* our ntversion */
SSVAL(q, 4, 0xffff); /* our lmnttoken */
@@ -302,8 +316,9 @@ reporting %s domain %s 0x%x ntversion=%x
/* Announce change to UAS or SAM. Send by the domain controller when a
replication event is required. */
- case SAM_UAS_CHANGE: {
- char *q = buf + 2;
+ case SAM_UAS_CHANGE:
+ {
+ const char *q = buf + 2;
uint32 low_serial;
/* Header */
|