Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server...

[samba.git] / source3 / smbd / nttrans.c

diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 2ca14f477d208c7bea6851a8ee555627cd18667b..25597696b0ba99455863e84fed717b7674917dde 100644 (file)
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -934,7 +934,19 @@ struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t
                if (next_offset == 0) {
                        break;
                }
+
+               /* Integer wrap protection for the increment. */
+               if (offset + next_offset < offset) {
+                       break;
+               }
+
                offset += next_offset;
+
+               /* Integer wrap protection for while loop. */
+               if (offset + 4 < offset) {
+                       break;
+               }
+
        }
 
        return ea_list_head;