don't this cause Segmentation fault against DoS attack?

Kenichi Okuyama okuyama at
Fri Jun 30 07:40:54 GMT 2000

Dear all,

I want to know one thing.
In samba-2.0.7/source/process.c:

    InBuffer = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
    OutBuffer = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);

is the way to allocate InBuffer. where

smb.h:27:#define BUFFER_SIZE (0xFFFF)
smb.h:28:#define SAFETY_MARGIN 1024

is being defined. But on the other hand,

smb.h:1384: #define smb_len(buf) (PVAL(buf,3)|(PVAL(buf,2)<<8)|((PVAL(buf,1)&1)<<16))

... Which means maximum smb_len() return value can be upto

Now, if, someone wish to attack smbd, and created software that will
create SMB with length over (0xffff+1024), won't this cause smbd to
stop due to SEGMENTATION FAULT? or stepping on to memory chunk cause
some bad cracking?

or am I misreading something, and there is no problem about the

Can anybody explain to me?
Kenichi Okuyama at Tokyo Research Lab. IBM Japan.Co.

More information about the samba-technical mailing list