Samba < 2.2.8版本存在缓冲区溢出漏洞，具体如下：

smb.h
--------------------------------------------------------------------------------
#define PSTRING_LEN 1024
typedef char pstring[PSTRING_LEN];
--------------------------------------------------------------------------------

trans2.c
--------------------------------------------------------------------------------
static int call_trans2open(connection_struct *conn, char *inbuf, char *outbuf,
int bufsize,
char **pparams, char **ppdata)
{
……
char *pname = &params[28];
int16 namelen = strlen(pname)+1;

pstring fname;
……
StrnCpy(fname,pname,namelen);//未严格检查字符串长度，导致溢出
……
}
--------------------------------------------------------------------------------

util_str.c
--------------------------------------------------------------------------------
char *StrnCpy(char *dest,const char *src,size_t n)
{
char *d = dest;
if (!dest) return(NULL);
if (!src) {
*dest = 0;
return(dest);
}
while (n-- && (*d++ = *src++)) ;
*d = 0;
return(dest);
}
--------------------------------------------------------------------------------

trans2.c
--------------------------------------------------------------------------------
int reply_trans2(connection_struct *conn,
char *inbuf,char *outbuf,int length,int bufsize)
--------------------------------------------------------------------------------

pname为客户端输入的数据包结构的一部分，只要该部分长度大于1024字节，即可造成缓冲区溢出。