[SCM] Samba Shared Repository - branch v3-2-test updated -
initial-v3-2-unstable-318-ge40c372
Gerald (Jerry) Carter
jerry at samba.org
Thu Nov 15 17:03:37 GMT 2007
The branch, v3-2-test has been updated
via e40c372e0ddf631dd9162c1fdfaaa49c29915f23 (commit)
from 242fc0099cc81877d8e9630b46dfb8d4a3265d94 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test
- Log -----------------------------------------------------------------
commit e40c372e0ddf631dd9162c1fdfaaa49c29915f23
Author: Gerald (Jerry) Carter <jerry at samba.org>
Date: Wed Nov 14 20:51:14 2007 -0600
Fix for CVE-2007-5398.
== Subject: Remote code execution in Samba's WINS
== server daemon (nmbd) when processing name
== registration followed name query requests.
==
== CVE ID#: CVE-2007-5398
==
== Versions: Samba 3.0.0 - 3.0.26a (inclusive)
...
Secunia Research reported a vulnerability that allows for
the execution of arbitrary code in nmbd. This defect may
only be exploited when the "wins support" parameter has
been enabled in smb.conf.
-----------------------------------------------------------------------
Summary of changes:
source/nmbd/nmbd_packets.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c
index d49c8ba..b78ab5b 100644
--- a/source/nmbd/nmbd_packets.c
+++ b/source/nmbd/nmbd_packets.c
@@ -970,6 +970,12 @@ for id %hu\n", packet_type, nmb_namestr(&orig_nmb->question.question_name),
nmb->answers->ttl = ttl;
if (data && len) {
+ if (len < 0 || len > sizeof(nmb->answers->rdata)) {
+ DEBUG(5,("reply_netbios_packet: "
+ "invalid packet len (%d)\n",
+ len ));
+ return;
+ }
nmb->answers->rdlength = len;
memcpy(nmb->answers->rdata, data, len);
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list