From e40c372e0ddf631dd9162c1fdfaaa49c29915f23 Mon Sep 17 00:00:00 2001
From: "Gerald (Jerry) Carter" <jerry@samba.org>
Date: Wed, 14 Nov 2007 20:51:14 -0600
Subject: [PATCH] Fix for CVE-2007-5398.

== Subject:     Remote code execution in Samba's WINS
==              server daemon (nmbd) when processing name
==              registration followed name query requests.
==
== CVE ID#:     CVE-2007-5398
==
== Versions:    Samba 3.0.0 - 3.0.26a (inclusive)
...
Secunia Research reported a vulnerability that allows for
the execution of arbitrary code in nmbd.  This defect may
only be exploited when the "wins support" parameter has
been enabled in smb.conf.
---
 source/nmbd/nmbd_packets.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c
index d49c8bab799..b78ab5ba7eb 100644
--- a/source/nmbd/nmbd_packets.c
+++ b/source/nmbd/nmbd_packets.c
@@ -970,6 +970,12 @@ for id %hu\n", packet_type, nmb_namestr(&orig_nmb->question.question_name),
 	nmb->answers->ttl      = ttl;
 
 	if (data && len) {
+		if (len < 0 || len > sizeof(nmb->answers->rdata)) {
+			DEBUG(5,("reply_netbios_packet: "
+				"invalid packet len (%d)\n",
+				len ));
+			return;
+		}
 		nmb->answers->rdlength = len;
 		memcpy(nmb->answers->rdata, data, len);
 	}
-- 
2.11.4.GIT