From 1b0fbdaf853b341a8e53e23e1e3f2ae1c9037dc2 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Sun, 4 Mar 2018 10:46:09 +0100
Subject: [PATCH] Harden tdb_check_used_record against overflow

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
 lib/tdb/common/check.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/lib/tdb/common/check.c b/lib/tdb/common/check.c
index e632af515361..3a5c8b8ba949 100644
--- a/lib/tdb/common/check.c
+++ b/lib/tdb/common/check.c
@@ -242,12 +242,27 @@ static bool tdb_check_used_record(struct tdb_context *tdb,
 				  void *private_data)
 {
 	TDB_DATA key, data;
+	tdb_len_t len;
 
 	if (!tdb_check_record(tdb, off, rec))
 		return false;
 
 	/* key + data + tailer must fit in record */
-	if (rec->key_len + rec->data_len + sizeof(tdb_off_t) > rec->rec_len) {
+	len = rec->key_len;
+	len += rec->data_len;
+	if (len < rec->data_len) {
+		/* overflow */
+		TDB_LOG((tdb, TDB_DEBUG_ERROR, "Record lengths overflow\n"));
+		return false;
+	}
+	len += sizeof(tdb_off_t);
+	if (len < sizeof(tdb_off_t)) {
+		/* overflow */
+		TDB_LOG((tdb, TDB_DEBUG_ERROR, "Record lengths overflow\n"));
+		return false;
+	}
+
+	if (len > rec->rec_len) {
 		TDB_LOG((tdb, TDB_DEBUG_ERROR,
 			 "Record offset %u too short for contents\n", off));
 		return false;
-- 
2.34.1