Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server...

Fix client-side parsing also. Found by David Disseldorp <ddiss@suse.de>

Signed-off-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Mon Aug  5 14:39:04 CEST 2013 on sn-devel-104

diff --git a/source4/libcli/raw/raweas.c b/source4/libcli/raw/raweas.c
index 5f06e7001d8517fea8dc6d248e36fb7149564e46..b626b316d28d1d9d29915ee6d2d3efdc776b636f 100644 (file)
--- a/source4/libcli/raw/raweas.c
+++ b/source4/libcli/raw/raweas.c
@@ -243,9 +243,12 @@ NTSTATUS ea_pull_list_chained(const DATA_BLOB *blob,
                        return NT_STATUS_INVALID_PARAMETER;
                }
 
-               ofs += next_ofs;
+               if (ofs + next_ofs < ofs) {
+                       return NT_STATUS_INVALID_PARAMETER;
+               }
 
-               if (ofs+4 > blob->length) {
+               ofs += next_ofs;
+               if (ofs+4 > blob->length || ofs+4 < ofs) {
                        return NT_STATUS_INVALID_PARAMETER;
                }
                n++;