Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server...

author Jeremy Allison <jra@samba.org>

Thu, 11 Jul 2013 00:10:17 +0000 (17:10 -0700)

committer Karolin Seeger <kseeger@samba.org>

Fri, 2 Aug 2013 18:02:34 +0000 (20:02 +0200)
author Jeremy Allison <jra@samba.org>
Thu, 11 Jul 2013 00:10:17 +0000 (17:10 -0700)
committer Karolin Seeger <kseeger@samba.org>
Fri, 2 Aug 2013 18:02:34 +0000 (20:02 +0200)
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c

index 54e475d6143cd9da555dc8c316a7958a0c749e36..f70fb36964e0d971f9a45ce635a380e1ba115c18 100644 (file)
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -993,7 +993,19 @@ struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t
                 if (next_offset == 0) {
                         break;
                 }
+
+               /* Integer wrap protection for the increment. */
+               if (offset + next_offset < offset) {
+                       break;
+               }
+
                 offset += next_offset;
+
+               /* Integer wrap protection for while loop. */
+               if (offset + 4 < offset) {
+                       break;
+               }
+
         }
  
         return ea_list_head;
author	Jeremy Allison <jra@samba.org>
	Thu, 11 Jul 2013 00:10:17 +0000 (17:10 -0700)
committer	Karolin Seeger <kseeger@samba.org>
	Fri, 2 Aug 2013 18:02:34 +0000 (20:02 +0200)