tevent: Add overflow protection to tevent_req_create

This adds 40 bytes, but they are needed for correctness :-)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Jul 22 23:33:57 CEST 2016 on sn-devel-144

diff --git a/lib/tevent/tevent_req.c b/lib/tevent/tevent_req.c
index fe613cc834ca152a93ff958cd2419ae67a56fd5b..e2b7104d16a2f3802b2b4013d1374dac9f2ebf6c 100644 (file)
--- a/lib/tevent/tevent_req.c
+++ b/lib/tevent/tevent_req.c
@@ -62,6 +62,13 @@ struct tevent_req *_tevent_req_create(TALLOC_CTX *mem_ctx,
        struct tevent_req *req;
        void **ppdata = (void **)pdata;
        void *data;
+       size_t payload;
+
+       payload = sizeof(struct tevent_immediate) + data_size;
+       if (payload < sizeof(struct tevent_immediate)) {
+               /* overflow */
+               return NULL;
+       }
 
        req = talloc_pooled_object(
                mem_ctx, struct tevent_req, 2,