git.samba.org
/
samba.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
4df0ef0
)
Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server...
author
Jeremy Allison
<jra@samba.org>
Thu, 11 Jul 2013 00:10:17 +0000
(17:10 -0700)
committer
Karolin Seeger
<kseeger@samba.org>
Fri, 2 Aug 2013 18:02:34 +0000
(20:02 +0200)
Ensure we never wrap whilst adding client provided input.
Signed-off-by: Jeremy Allison <jra@samba.org>
source3/smbd/nttrans.c
patch
|
blob
|
history
diff --git
a/source3/smbd/nttrans.c
b/source3/smbd/nttrans.c
index 54e475d6143cd9da555dc8c316a7958a0c749e36..f70fb36964e0d971f9a45ce635a380e1ba115c18 100644
(file)
--- a/
source3/smbd/nttrans.c
+++ b/
source3/smbd/nttrans.c
@@
-993,7
+993,19
@@
struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t
if (next_offset == 0) {
break;
}
+
+ /* Integer wrap protection for the increment. */
+ if (offset + next_offset < offset) {
+ break;
+ }
+
offset += next_offset;
+
+ /* Integer wrap protection for while loop. */
+ if (offset + 4 < offset) {
+ break;
+ }
+
}
return ea_list_head;