r2356: commit the changes from the 3.0.7 release that were held back until the security announcement

2 files changed, 12 insertions, 0 deletions

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 73720d1f9c9..5223fa2513b 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -11,6 +11,8 @@ details on exact updates.
 
 Common bugs fixed in 3.0.7 include:
 
+  o Fixes for two Denial of Service vulnerabalities
+    (CVE ID# CAN-2004-0807 & CAN-2004-0808).
   o Winbind failure to return user entries under certain 
     conditions.
   o Syntax errors in the OpenLDAP schema file (samba.schema).
@@ -40,6 +42,10 @@ o   Jeremy Allison <jra@samba.org>
     * More paranoia checks in the hash2 mangling code.
     * Fix syntax error in configure.in.
     * Match Win2k3's behavior for pathname parsing error returns.
+    * Make nmbd more robust against bad netbios packets 
+      (CAN-2004-0808).
+    * Add more checks for invalid ASN.1 packets for SPNEGO packets
+      (CAN-2004-0807).
 
   
 o   Andrew Bartlett <abartlet@samba.org>  
diff --git a/source/libsmb/asn1.c b/source/libsmb/asn1.c
index ca14f3fbb71..2807b4e1d3e 100644
--- a/source/libsmb/asn1.c
+++ b/source/libsmb/asn1.c
@@ -219,6 +219,9 @@ BOOL asn1_load(ASN1_DATA *data, DATA_BLOB blob)
 /* read from a ASN1 buffer, advancing the buffer pointer */
 BOOL asn1_read(ASN1_DATA *data, void *p, int len)
 {
+	if (data->has_error)
+		return False;
+
 	if (len < 0 || data->ofs + len < data->ofs || data->ofs + len < len) {
 		data->has_error = True;
 		return False;
@@ -309,6 +312,9 @@ BOOL asn1_end_tag(ASN1_DATA *data)
 /* work out how many bytes are left in this nested tag */
 int asn1_tag_remaining(ASN1_DATA *data)
 {
+	if (data->has_error)
+		return 0;
+
 	if (!data->nesting) {
 		data->has_error = True;
 		return -1;