ohnobinki_overlay Files · net-fs/samba-tng/files/0.4.99/07_all_CVE-2007-6015.diff

Files @ 3353ad542e61

Branch filter:

Location: ohnobinki_overlay/net-fs/samba-tng/files/0.4.99/07_all_CVE-2007-6015.diff

3353ad542e61 3.3 KiB text/x-diff Show Annotation Show as Raw Download as Raw

binki

Bumped to live-2010.04.09, attempting to follow changes for the corresponding bump in portage. Need for bump reported by geos_one.
(Portage version: 2.2_rc67-r8/hg/Linux x86_64)
(Signed Manifest commit)

Index: lib/util.c
===================================================================
RCS file: /work/cvs/tng/source/lib/util.c,v
retrieving revision 1.66
diff -u -p -r1.66 util.c
--- lib/util.c	3 Sep 2007 20:52:56 -0000	1.66
+++ lib/util.c	12 Dec 2007 23:02:28 -0000
@@ -364,10 +364,12 @@ void smb_setlen(char *buf, int len)
 	SCVAL(buf,7,'B');
 }
 
-/*******************************************************************
-  setup the word count and byte count for a smb message
-********************************************************************/
-int set_message(char *buf, int num_words, int num_bytes, BOOL zero)
+/**
+ * setup the word count and byte count for a smb message
+ *
+ * Returns: size of packet excluding size part itself
+ */
+size_t set_message(char *buf, unsigned char num_words, size_t num_bytes, BOOL zero)
 {
 	if (zero)
 		memset(buf + smb_size, '\0', num_words * 2 + num_bytes);
Index: libsmb/namequery.c
===================================================================
RCS file: /work/cvs/tng/source/libsmb/namequery.c,v
retrieving revision 1.19
diff -u -p -r1.19 namequery.c
--- libsmb/namequery.c	17 Jul 2006 20:24:01 -0000	1.19
+++ libsmb/namequery.c	12 Dec 2007 23:02:28 -0000
@@ -871,6 +871,7 @@ BOOL lookup_pdc_name(const char *srcname
 	char *ptr,*p2;
 	char tmp[4];
 	int len;
+	size_t full_len;
 	struct sockaddr_in sock_name;
 	socklen_t sock_len = sizeof(sock_name);
 	const char *mailslot = NET_LOGON_MAILSLOT;
@@ -933,9 +934,15 @@ BOOL lookup_pdc_name(const char *srcname
 	/* Setup the smb part. */
 	ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */
 	memcpy(tmp,ptr,4);
-	set_message(ptr,17,17 + len,True);
+	full_len = set_message(ptr, 17, strlen(mailslot) + 1 + len, False);
 	memcpy(ptr,tmp,4);
 
+	if (full_len > MAX_DGRAM_SIZE)
+	{
+		DEBUG(0, ("%s: Possible bufferoverflow, erroring out\n", __func__));
+		return False;
+	}
+
 	CVAL(ptr,smb_com) = SMBtrans;
 	SSVAL(ptr,smb_vwv1,len);
 	SSVAL(ptr,smb_vwv11,len);
Index: nmbd/nmbd_packets.c
===================================================================
RCS file: /work/cvs/tng/source/nmbd/nmbd_packets.c,v
retrieving revision 1.18
diff -u -p -r1.18 nmbd_packets.c
--- nmbd/nmbd_packets.c	4 Dec 2007 12:57:32 -0000	1.18
+++ nmbd/nmbd_packets.c	12 Dec 2007 23:02:28 -0000
@@ -1926,6 +1926,7 @@ BOOL send_mailslot(BOOL unique, const ch
   BOOL loopback_this_packet = False;
   struct packet_struct p;
   struct dgram_packet *dgram = &p.packet.dgram;
+  size_t full_len;
   char *ptr,*p2;
   char tmp[4];
 
@@ -1955,9 +1956,15 @@ BOOL send_mailslot(BOOL unique, const ch
   /* Setup the smb part. */
   ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */
   memcpy(tmp,ptr,4);
-  set_message(ptr,17,17 + len,True);
+  full_len = set_message(ptr, 17, strlen(mailslot) + 1 + len, False);
   memcpy(ptr,tmp,4);
 
+  if (full_len > MAX_DGRAM_SIZE)
+  {
+    DEBUG(0, ("%s: Possible bufferoverflow, erroring out\n", __func__));
+    return False;
+  }
+
   SCVAL(ptr,smb_com,SMBtrans);
   SSVAL(ptr,smb_vwv1,len);
   SSVAL(ptr,smb_vwv11,len);
@@ -1969,12 +1976,6 @@ BOOL send_mailslot(BOOL unique, const ch
   p2 = smb_buf(ptr);
   pstrcpy(p2,mailslot);
   p2 = skip_string(p2,1);
-
-  if (len > (MAX_DGRAM_SIZE - PTR_DIFF(p2, dgram->data)))
-  {
-    DEBUG(0, ("%s: Possible bufferoverflow, erroring out\n", __func__));
-    return False;
-  }
   memcpy(p2, buf, len);
   p2 += len;