git.samba.org
/
samba.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
b45411c
)
Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server...
author
Jeremy Allison
<jra@samba.org>
Thu, 11 Jul 2013 00:10:17 +0000
(17:10 -0700)
committer
Karolin Seeger
<kseeger@samba.org>
Mon, 29 Jul 2013 18:51:51 +0000
(20:51 +0200)
Ensure we never wrap whilst adding client provided input.
CVE-2013-4124
Signed-off-by: Jeremy Allison <jra@samba.org>
source3/smbd/nttrans.c
patch
|
blob
|
history
diff --git
a/source3/smbd/nttrans.c
b/source3/smbd/nttrans.c
index ea9d417e7438b355eca627dc12305b4708c43754..5fc3a09784d86b734253b49e8512a42c3bcc1463 100644
(file)
--- a/
source3/smbd/nttrans.c
+++ b/
source3/smbd/nttrans.c
@@
-989,7
+989,19
@@
struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t
if (next_offset == 0) {
break;
}
+
+ /* Integer wrap protection for the increment. */
+ if (offset + next_offset < offset) {
+ break;
+ }
+
offset += next_offset;
+
+ /* Integer wrap protection for while loop. */
+ if (offset + 4 < offset) {
+ break;
+ }
+
}
return ea_list_head;