messaging: Add wrap check to messaging_rec_dup

Just paranoia

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Sep 28 03:58:22 CEST 2016 on sn-devel-144

diff --git a/source3/lib/messages.c b/source3/lib/messages.c
index ef5d679f6a356a74c039c732241a009cd6859400..3e11cc5f77eb8b3058058b2b32badcf925de891b 100644 (file)
--- a/source3/lib/messages.c
+++ b/source3/lib/messages.c
@@ -496,9 +496,16 @@ static struct messaging_rec *messaging_rec_dup(TALLOC_CTX *mem_ctx,
 {
        struct messaging_rec *result;
        size_t fds_size = sizeof(int64_t) * rec->num_fds;
+       size_t payload_len;
+
+       payload_len = rec->buf.length + fds_size;
+       if (payload_len < rec->buf.length) {
+               /* overflow */
+               return NULL;
+       }
 
        result = talloc_pooled_object(mem_ctx, struct messaging_rec, 2,
-                                     rec->buf.length + fds_size);
+                                     payload_len);
        if (result == NULL) {
                return NULL;
        }