summaryrefslogtreecommitdiff
path: root/net/samba30/patches/patch-ee
diff options
context:
space:
mode:
Diffstat (limited to 'net/samba30/patches/patch-ee')
-rw-r--r--net/samba30/patches/patch-ee40
1 files changed, 40 insertions, 0 deletions
diff --git a/net/samba30/patches/patch-ee b/net/samba30/patches/patch-ee
new file mode 100644
index 00000000000..f242b8d6f29
--- /dev/null
+++ b/net/samba30/patches/patch-ee
@@ -0,0 +1,40 @@
+$NetBSD: patch-ee,v 1.1.1.1 2011/12/15 22:23:24 asau Exp $
+
+Patch to fix CVE-2010-2063.
+
+--- smbd/process.c.orig 2009-09-30 12:21:56.000000000 +0000
++++ smbd/process.c
+@@ -1159,6 +1159,7 @@ int chain_reply(char *inbuf,char *outbuf
+ {
+ static char *orig_inbuf;
+ static char *orig_outbuf;
++ static int orig_size;
+ int smb_com1, smb_com2 = CVAL(inbuf,smb_vwv0);
+ unsigned smb_off2 = SVAL(inbuf,smb_vwv1);
+ char *inbuf2, *outbuf2;
+@@ -1178,6 +1179,13 @@ int chain_reply(char *inbuf,char *outbuf
+ /* this is the first part of the chain */
+ orig_inbuf = inbuf;
+ orig_outbuf = outbuf;
++ orig_size = size;
++ }
++
++ /* Validate smb_off2 */
++ if ((smb_off2 < smb_wct - 4) || orig_size < (smb_off2 + 4 - smb_wct)) {
++ exit_server_cleanly("Bad chained packet");
++ return -1;
+ }
+
+ /*
+@@ -1192,6 +1200,11 @@ int chain_reply(char *inbuf,char *outbuf
+ SSVAL(outbuf,smb_vwv1,smb_offset(outbuf+outsize,outbuf));
+ SCVAL(outbuf,smb_vwv0,smb_com2);
+
++ if (outsize <= smb_wct) {
++ exit_server_cleanly("Bad chained packet");
++ return -1;
++ }
++
+ /* remember how much the caller added to the chain, only counting stuff
+ after the parameter words */
+ chain_size += outsize - smb_wct;