Files @ 8d5e21250f5e
Branch filter:

Location: ohnobinki_overlay/net-fs/samba-tng/files/0.4.99/06_all_CVE-2007-4572.diff

8d5e21250f5e 6.2 KiB text/x-diff Show Annotation Show as Raw Download as Raw
binki
www-apps/flyspray: Added missing closing parantheses
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
Index: nmbd/nmbd_packets.c
===================================================================
RCS file: /work/cvs/tng/source/nmbd/nmbd_packets.c,v
retrieving revision 1.17
diff -u -p -r1.17 nmbd_packets.c
--- nmbd/nmbd_packets.c	24 Nov 2007 20:45:55 -0000	1.17
+++ nmbd/nmbd_packets.c	2 Dec 2007 22:13:49 -0000
@@ -1916,7 +1916,8 @@ BOOL listen_for_packets(BOOL run_electio
 /****************************************************************************
   Construct and send a netbios DGRAM.
 **************************************************************************/
-BOOL send_mailslot(BOOL unique, char *mailslot,char *buf,int len,
+BOOL send_mailslot(BOOL unique, const char *mailslot,
+                   const char *buf, size_t len,
                    char *srcname, int src_type,
                    char *dstname, int dest_type,
                    struct in_addr dest_ip,struct in_addr src_ip,
@@ -1969,7 +1970,12 @@ BOOL send_mailslot(BOOL unique, char *ma
   pstrcpy(p2,mailslot);
   p2 = skip_string(p2,1);
 
-  memcpy(p2,buf,len);
+  if (len > (MAX_DGRAM_SIZE - PTR_DIFF(p2, dgram->data)))
+  {
+    DEBUG(0, ("%s: Possible bufferoverflow, erroring out\n", __func__));
+    return False;
+  }
+  memcpy(p2, buf, len);
   p2 += len;
 
   dgram->datasize = PTR_DIFF(p2,ptr+4); /* +4 for tcp length. */
Index: nmbd/nmbd_processlogon.c
===================================================================
RCS file: /work/cvs/tng/source/nmbd/nmbd_processlogon.c,v
retrieving revision 1.12
diff -u -p -r1.12 nmbd_processlogon.c
--- nmbd/nmbd_processlogon.c	8 Feb 2005 10:52:37 -0000	1.12
+++ nmbd/nmbd_processlogon.c	2 Dec 2007 22:18:05 -0000
@@ -28,9 +28,15 @@
 #include "includes.h"
 #include "libsamba.h"
 #include "byteorder.h"
+#include "tng_misc.h"
 #include "nmbd.h"
 
 
+#define SIZE_NOSPACELEFT(buffer, buffersize, pointer, needed) \
+	(((const char *) (pointer)) \
+	>= (((const char *) (buffer)) + buffersize - needed))
+
+
 /****************************************************************************
 Send a message to smbd to do a sam delta sync
 **************************************************************************/
@@ -46,8 +52,8 @@ static void send_repl_message(uint32 low
 Process a domain logon packet
 **************************************************************************/
 
-void process_logon_packet(struct packet_struct *p,char *buf,int len, 
-                          char *mailslot)
+void process_logon_packet(struct packet_struct *p, char *buf, size_t len,
+			  const char *mailslot)
 {
   struct dgram_packet *dgram = &p->packet.dgram;
   pstring my_name;
@@ -94,8 +100,6 @@ logons are not enabled.\n", inet_ntoa(p-
       q = skip_string(getdc,1);
       token = SVAL(q,3);
 
-      fstrcpy(reply_name,my_name); 
-
       DEBUG(3,("process_logon_packet: Domain login request from %s at IP %s user=%s token=%x\n",
              machine,inet_ntoa(p->ip),user,token));
 
@@ -105,7 +109,8 @@ logons are not enabled.\n", inet_ntoa(p-
 
       fstrcpy(reply_name, "\\\\");
       fstrcat(reply_name, my_name);
-      fstrcpy(q, reply_name); q = skip_string(q, 1); /* PDC name */
+      q += safe_strcpy(q, reply_name, sizeof(outbuf) - 2 - PTR_DIFF(q, outbuf))
+	     + 1;
 
       SSVAL(q, 0, token);
       q += 2;
@@ -154,7 +159,7 @@ logons are not enabled.\n", inet_ntoa(p-
 					   get additional data - a length specificed string
 					   containing the domain name, then 16 bytes of
 					   data (no idea what it is) */
-					int dom_len = CVAL(q, 0);
+					int dom_len = CVALCONST(q, 0);
 					q++;
 					if (dom_len != 0) {
 						q += dom_len + 1;
@@ -172,17 +177,21 @@ logons are not enabled.\n", inet_ntoa(p-
       q += 2;
 
       fstrcpy(reply_name,my_name);
-      fstrcpy(q, reply_name);
-      q = skip_string(q, 1); /* PDC name */
+      q += safe_strcpy(q, reply_name, sizeof(outbuf) - 2 - PTR_DIFF(q, outbuf))
+	      + 1;
 
       /* PDC and domain name */
       if (!short_request)  /* Make a full reply */
       {
         q = ALIGN2(q, outbuf);
 
-        q += dos_PutUniCode(q, my_name, sizeof(pstring), True); /* PDC name */
-        q += dos_PutUniCode(q, global_myworkgroup,sizeof(pstring), True); /* Domain name*/
+        q += dos_PutUniCode(q, my_name,
+                            sizeof(outbuf) - PTR_DIFF(q, outbuf), True); /* PDC name */
+        q += dos_PutUniCode(q, global_myworkgroup,
+                            sizeof(outbuf) - PTR_DIFF(q, outbuf), True); /* Domain name*/
 
+        if (SIZE_NOSPACELEFT(outbuf, sizeof(outbuf), q, 8))
+		return;
         SIVAL(q, 0, 1); /* our nt version */
         SSVAL(q, 4, 0xffff); /* our lmnttoken */
         SSVAL(q, 6, 0xffff); /* our lm20token */
@@ -236,11 +245,11 @@ reporting %s domain %s 0x%x ntversion=%x
 			   get additional data - a length specificed string
 			   containing the domain name, then 16 bytes of
 			   data (no idea what it is) */
-			int dom_len = CVAL(q, 0);
+			int dom_len = CVALCONST(q, 0);
 			q++;
-			if (dom_len < (len - PTR_DIFF(q, buf)) && (dom_len != 0)) {
+			if (dom_len < (len - PTR_DIFF(q, buf))
+			    && (dom_len != 0))
 				q += dom_len + 1;
-			}
 			q += 16;
 	      }
 
@@ -278,10 +287,15 @@ reporting %s domain %s 0x%x ntversion=%x
       }
       q += 2;
 
-      q += dos_PutUniCode(q, reply_name,sizeof(pstring), True);
-      q += dos_PutUniCode(q, ascuser, sizeof(pstring), True);
-      q += dos_PutUniCode(q, global_myworkgroup,sizeof(pstring), True);
+      q += dos_PutUniCode(q, reply_name,
+			  sizeof(outbuf) - PTR_DIFF(q, outbuf), True);
+      q += dos_PutUniCode(q, ascuser,
+			  sizeof(outbuf) - PTR_DIFF(q, outbuf), True);
+      q += dos_PutUniCode(q, global_myworkgroup,
+			  sizeof(outbuf) - PTR_DIFF(q, outbuf), True);
 
+        if (SIZE_NOSPACELEFT(outbuf, sizeof(outbuf), q, 8))
+		return;
       /* tell the client what version we are */
       SIVAL(q, 0, 1); /* our ntversion */
       SSVAL(q, 4, 0xffff); /* our lmnttoken */ 
@@ -302,8 +316,9 @@ reporting %s domain %s 0x%x ntversion=%x
     /* Announce change to UAS or SAM.  Send by the domain controller when a
        replication event is required. */
 
-  case SAM_UAS_CHANGE: {
-          char *q = buf + 2;
+  case SAM_UAS_CHANGE:
+  {
+          const char *q = buf + 2;
           uint32 low_serial;
           
           /* Header */
Server instance: zserverv-756375 This site is powered by Kallithea, which is © 2010–2021 by various authors & licensed under GPLv3. – Support