If someone messes with brlock.tdb and inserts an invalid record length,
this will lead to memcpy overwriting a few bytes behind malloc'ed data.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Sep 12 03:26:45 CEST 2013 on sn-devel-104
data = dbwrap_record_get_value(br_lck->record);
}
+ if ((data.dsize % sizeof(struct lock_struct)) != 0) {
+ DEBUG(3, ("Got invalid brlock data\n"));
+ TALLOC_FREE(br_lck);
+ return NULL;
+ }
+
br_lck->read_only = do_read_only;
br_lck->lock_data = NULL;