Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server...

author Jeremy Allison <jra@samba.org>

Thu, 11 Jul 2013 00:10:17 +0000 (17:10 -0700)

committer Karolin Seeger <kseeger@samba.org>

Wed, 24 Jul 2013 18:47:52 +0000 (20:47 +0200)
author Jeremy Allison <jra@samba.org>
Thu, 11 Jul 2013 00:10:17 +0000 (17:10 -0700)
committer Karolin Seeger <kseeger@samba.org>
Wed, 24 Jul 2013 18:47:52 +0000 (20:47 +0200)
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c

index 2ca14f477d208c7bea6851a8ee555627cd18667b..25597696b0ba99455863e84fed717b7674917dde 100644 (file)
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -934,7 +934,19 @@ struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t
                 if (next_offset == 0) {
                         break;
                 }
+
+               /* Integer wrap protection for the increment. */
+               if (offset + next_offset < offset) {
+                       break;
+               }
+
                 offset += next_offset;
+
+               /* Integer wrap protection for while loop. */
+               if (offset + 4 < offset) {
+                       break;
+               }
+
         }
  
         return ea_list_head;
author	Jeremy Allison <jra@samba.org>
	Thu, 11 Jul 2013 00:10:17 +0000 (17:10 -0700)
committer	Karolin Seeger <kseeger@samba.org>
	Wed, 24 Jul 2013 18:47:52 +0000 (20:47 +0200)