Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfsiodfsEnumInfod), (2) RFNPCNEX (smbionotifyoptiontypedata), (3) LsarAddPrivilegesToAccount (lsaioprivilegeset), (4) NetSetFileSecurity (secioacl), or (5) LsarLookupSids/LsarLookupSids2 (lsaiotrans_names).