diff options
Diffstat (limited to 'net/samba30/patches/patch-ee')
-rw-r--r-- | net/samba30/patches/patch-ee | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/net/samba30/patches/patch-ee b/net/samba30/patches/patch-ee new file mode 100644 index 00000000000..f242b8d6f29 --- /dev/null +++ b/net/samba30/patches/patch-ee @@ -0,0 +1,40 @@ +$NetBSD: patch-ee,v 1.1.1.1 2011/12/15 22:23:24 asau Exp $ + +Patch to fix CVE-2010-2063. + +--- smbd/process.c.orig 2009-09-30 12:21:56.000000000 +0000 ++++ smbd/process.c +@@ -1159,6 +1159,7 @@ int chain_reply(char *inbuf,char *outbuf + { + static char *orig_inbuf; + static char *orig_outbuf; ++ static int orig_size; + int smb_com1, smb_com2 = CVAL(inbuf,smb_vwv0); + unsigned smb_off2 = SVAL(inbuf,smb_vwv1); + char *inbuf2, *outbuf2; +@@ -1178,6 +1179,13 @@ int chain_reply(char *inbuf,char *outbuf + /* this is the first part of the chain */ + orig_inbuf = inbuf; + orig_outbuf = outbuf; ++ orig_size = size; ++ } ++ ++ /* Validate smb_off2 */ ++ if ((smb_off2 < smb_wct - 4) || orig_size < (smb_off2 + 4 - smb_wct)) { ++ exit_server_cleanly("Bad chained packet"); ++ return -1; + } + + /* +@@ -1192,6 +1200,11 @@ int chain_reply(char *inbuf,char *outbuf + SSVAL(outbuf,smb_vwv1,smb_offset(outbuf+outsize,outbuf)); + SCVAL(outbuf,smb_vwv0,smb_com2); + ++ if (outsize <= smb_wct) { ++ exit_server_cleanly("Bad chained packet"); ++ return -1; ++ } ++ + /* remember how much the caller added to the chain, only counting stuff + after the parameter words */ + chain_size += outsize - smb_wct; |