diff options
author | Timur I. Bakeyev <timur@FreeBSD.org> | 2010-06-18 13:30:22 +0000 |
---|---|---|
committer | Timur I. Bakeyev <timur@FreeBSD.org> | 2010-06-18 13:30:22 +0000 |
commit | a0562925b70a13580cb009882f5761dabc60390e (patch) | |
tree | 95ae3596f86369e4d5ecefb614449ff47f5a2e7a /net/samba3/files | |
parent | fb01ad6be52efe4c8c1fb1cec84977646c0436af (diff) | |
download | ports-a0562925b70a13580cb009882f5761dabc60390e.tar.gz ports-a0562925b70a13580cb009882f5761dabc60390e.zip |
Notes
Diffstat (limited to 'net/samba3/files')
-rw-r--r-- | net/samba3/files/CVE-2010-2063_samba-3.0.patch | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/net/samba3/files/CVE-2010-2063_samba-3.0.patch b/net/samba3/files/CVE-2010-2063_samba-3.0.patch new file mode 100644 index 000000000000..5a55a1416dad --- /dev/null +++ b/net/samba3/files/CVE-2010-2063_samba-3.0.patch @@ -0,0 +1,38 @@ +diff --git a/source/smbd/process.c b/source/smbd/process.c +index e861e16..6499bc7 100644 +--- smbd/process.c ++++ smbd/process.c +@@ -1159,6 +1159,7 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize) + { + static char *orig_inbuf; + static char *orig_outbuf; ++ static int orig_size; + int smb_com1, smb_com2 = CVAL(inbuf,smb_vwv0); + unsigned smb_off2 = SVAL(inbuf,smb_vwv1); + char *inbuf2, *outbuf2; +@@ -1178,6 +1179,13 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize) + /* this is the first part of the chain */ + orig_inbuf = inbuf; + orig_outbuf = outbuf; ++ orig_size = size; ++ } ++ ++ /* Validate smb_off2 */ ++ if ((smb_off2 < smb_wct - 4) || orig_size < (smb_off2 + 4 - smb_wct)) { ++ exit_server_cleanly("Bad chained packet"); ++ return -1; + } + + /* +@@ -1192,6 +1200,11 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize) + SSVAL(outbuf,smb_vwv1,smb_offset(outbuf+outsize,outbuf)); + SCVAL(outbuf,smb_vwv0,smb_com2); + ++ if (outsize <= smb_wct) { ++ exit_server_cleanly("Bad chained packet"); ++ return -1; ++ } ++ + /* remember how much the caller added to the chain, only counting stuff + after the parameter words */ + chain_size += outsize - smb_wct; |