r2356: commit the changes from the 3.0.7 release that were held back until the securi...

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 73720d1f9c931d286037d19d56ac17692d0d15f8..5223fa2513b9f2e85c5cfd5296bcbfa4671d4687 100644 (file)
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -11,6 +11,8 @@ details on exact updates.
 
 Common bugs fixed in 3.0.7 include:
 
+  o Fixes for two Denial of Service vulnerabalities
+    (CVE ID# CAN-2004-0807 & CAN-2004-0808).
   o Winbind failure to return user entries under certain 
     conditions.
   o Syntax errors in the OpenLDAP schema file (samba.schema).
@@ -40,6 +42,10 @@ o   Jeremy Allison <jra@samba.org>
     * More paranoia checks in the hash2 mangling code.
     * Fix syntax error in configure.in.
     * Match Win2k3's behavior for pathname parsing error returns.
+    * Make nmbd more robust against bad netbios packets 
+      (CAN-2004-0808).
+    * Add more checks for invalid ASN.1 packets for SPNEGO packets
+      (CAN-2004-0807).
 
   
 o   Andrew Bartlett <abartlet@samba.org>  

diff --git a/source/libsmb/asn1.c b/source/libsmb/asn1.c
index ca14f3fbb7119f9877e6ced1fccd4933fb8322e6..2807b4e1d3e0e1d718be69456f46f7e9f25ba763 100644 (file)
--- a/source/libsmb/asn1.c
+++ b/source/libsmb/asn1.c
@@ -219,6 +219,9 @@ BOOL asn1_load(ASN1_DATA *data, DATA_BLOB blob)
 /* read from a ASN1 buffer, advancing the buffer pointer */
 BOOL asn1_read(ASN1_DATA *data, void *p, int len)
 {
+       if (data->has_error)
+               return False;
+
        if (len < 0 || data->ofs + len < data->ofs || data->ofs + len < len) {
                data->has_error = True;
                return False;
@@ -309,6 +312,9 @@ BOOL asn1_end_tag(ASN1_DATA *data)
 /* work out how many bytes are left in this nested tag */
 int asn1_tag_remaining(ASN1_DATA *data)
 {
+       if (data->has_error)
+               return 0;
+
        if (!data->nesting) {
                data->has_error = True;
                return -1;