Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server...

[metze/samba/wip.git] / source3 / smbd / nttrans.c

diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 800e2fd260be334479ca6c4d57d2df69eec2479c..bcba29a3e899c88bd0f301451ecbd9680e37fc9d 100644 (file)
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -990,7 +990,19 @@ struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t
                if (next_offset == 0) {
                        break;
                }
+
+               /* Integer wrap protection for the increment. */
+               if (offset + next_offset < offset) {
+                       break;
+               }
+
                offset += next_offset;
+
+               /* Integer wrap protection for while loop. */
+               if (offset + 4 < offset) {
+                       break;
+               }
+
        }
 
        return ea_list_head;