commit b14aa30006033d9dbaa8120bc419406535d620b8
Author: Gerald (Jerry) Carter <jerry@samba.org>
Date:   Thu Dec 6 14:46:06 2007 -0600

    Fix from Jeremy for CVE-2007-6015 (send_mailslot() buffer overrun).
    
    This one fixes cli_send_mailslot() which could be called from the
    nmbd server code.

diff --git a/source/libsmb/clidgram.c b/source/libsmb/clidgram.c
index 83ea81d..548ace6 100644
--- a/source/libsmb/clidgram.c
+++ b/source/libsmb/clidgram.c
@@ -72,6 +72,12 @@ BOOL cli_send_mailslot(BOOL unique, const char *mailslot,
 	/* Setup the smb part. */
 	ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */
 	memcpy(tmp,ptr,4);
+
+	if (smb_size + 17*2 + strlen(mailslot) + 1 + len > MAX_DGRAM_SIZE) {
+		DEBUG(0, ("cli_send_mailslot: Cannot write beyond end of packet\n"));
+		return False;
+	}
+
 	set_message(ptr,17,strlen(mailslot) + 1 + len,True);
 	memcpy(ptr,tmp,4);
 
commit 6a9610ba27f802136f1ca8a94816d552df17a166
Author: Gerald (Jerry) Carter <jerry@samba.org>
Date:   Thu Dec 6 14:45:13 2007 -0600

    Fix from Volker for CVE-2007-6015 (send_mailslot() buffer overrun).

diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c
index bbcc1ec..1460f7d 100644
--- a/source/nmbd/nmbd_packets.c
+++ b/source/nmbd/nmbd_packets.c
@@ -1892,6 +1892,12 @@ BOOL send_mailslot(BOOL unique, const char *mailslot,char *buf, size_t len,
 	/* Setup the smb part. */
 	ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */
 	memcpy(tmp,ptr,4);
+
+	if (smb_size + 17*2 + strlen(mailslot) + 1 + len > MAX_DGRAM_SIZE) {
+		DEBUG(0, ("send_mailslot: Cannot write beyond end of packet\n"));
+		return False;
+	}
+
 	set_message(ptr,17,strlen(mailslot) + 1 + len,True);
 	memcpy(ptr,tmp,4);