git.samba.org
/
samba.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
81aa6c3
)
Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server...
author
Jeremy Allison
<jra@samba.org>
Thu, 11 Jul 2013 00:10:17 +0000
(17:10 -0700)
committer
Karolin Seeger
<kseeger@samba.org>
Wed, 24 Jul 2013 18:47:52 +0000
(20:47 +0200)
Ensure we never wrap whilst adding client provided input.
CVE-2013-4124
Signed-off-by: Jeremy Allison <jra@samba.org>
source3/smbd/nttrans.c
patch
|
blob
|
history
diff --git
a/source3/smbd/nttrans.c
b/source3/smbd/nttrans.c
index 2ca14f477d208c7bea6851a8ee555627cd18667b..25597696b0ba99455863e84fed717b7674917dde 100644
(file)
--- a/
source3/smbd/nttrans.c
+++ b/
source3/smbd/nttrans.c
@@
-934,7
+934,19
@@
struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t
if (next_offset == 0) {
break;
}
if (next_offset == 0) {
break;
}
+
+ /* Integer wrap protection for the increment. */
+ if (offset + next_offset < offset) {
+ break;
+ }
+
offset += next_offset;
offset += next_offset;
+
+ /* Integer wrap protection for while loop. */
+ if (offset + 4 < offset) {
+ break;
+ }
+
}
return ea_list_head;
}
return ea_list_head;