From d9b4f19e73f241a1ccf64f04c3cc28d481550bb7 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Thu, 30 May 2013 15:54:58 +0200
Subject: [PATCH] tdb: Make tdb_recovery_allocate overflow-safe

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Rusty Russell <rusty@rustcorp.com.au>
---
 lib/tdb/common/transaction.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/tdb/common/transaction.c b/lib/tdb/common/transaction.c
index 080d0586c36..a2c3bbdff37 100644
--- a/lib/tdb/common/transaction.c
+++ b/lib/tdb/common/transaction.c
@@ -762,7 +762,12 @@ static int tdb_recovery_allocate(struct tdb_context *tdb,
 					       tdb->page_size)
 		- sizeof(rec);
 
-	new_end = recovery_head + sizeof(rec) + *recovery_max_size;
+	if (!tdb_add_off_t(recovery_head, sizeof(rec), &new_end) ||
+	    !tdb_add_off_t(new_end, *recovery_max_size, &new_end)) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_recovery_allocate: "
+			 "overflow recovery area\n"));
+		return -1;
+	}
 
 	if (methods->tdb_expand_file(tdb, tdb->transaction->old_map_size,
 				     new_end - tdb->transaction->old_map_size)
-- 
2.34.1