smbd: Properly protect against invalid lock data

If someone messes with brlock.tdb and inserts an invalid record length,
this will lead to memcpy overwriting a few bytes behind malloc'ed data.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Sep 12 03:26:45 CEST 2013 on sn-devel-104

diff --git a/source3/locking/brlock.c b/source3/locking/brlock.c
index ac54767a4853eb0b7919e4b7e6f7d5e59c5241c8..adbfc5fb6569607986d1850058c93a85448abaf9 100644 (file)
--- a/source3/locking/brlock.c
+++ b/source3/locking/brlock.c
@@ -1976,6 +1976,12 @@ static struct byte_range_lock *brl_get_locks_internal(TALLOC_CTX *mem_ctx,
                data = dbwrap_record_get_value(br_lck->record);
        }
 
+       if ((data.dsize % sizeof(struct lock_struct)) != 0) {
+               DEBUG(3, ("Got invalid brlock data\n"));
+               TALLOC_FREE(br_lck);
+               return NULL;
+       }
+
        br_lck->read_only = do_read_only;
        br_lck->lock_data = NULL;