vfs_fruit: tmsize prevent overflow Force the type during arithmetic in order to preve...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13622
Signed-off-by: Art M. Gallagher <smblock@artmg.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Mar  7 01:37:31 UTC 2020 on sn-devel-184

diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
index ebf3e18af2f25a22db2f7d9b1012b992f1caed81..b2d0901a80076f20ad363425f8821c392c69d06d 100644 (file)
--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
@@ -4986,15 +4986,21 @@ static bool fruit_tmsize_do_dirent(vfs_handle_struct *handle,
                return true;
        }
 
+       /*
+        * Arithmetic on 32-bit systems may cause overflow, depending on
+        * size_t precision. First we check its unlikely, then we
+        * force the precision into target off_t, then we check that
+        * the total did not overflow either.
+        */
        if (bandsize > SIZE_MAX/nbands) {
-               DBG_ERR("tmsize overflow: bandsize [%zu] nbands [%zu]\n",
+               DBG_ERR("tmsize potential overflow: bandsize [%zu] nbands [%zu]\n",
                        bandsize, nbands);
                return false;
        }
-       tm_size = bandsize * nbands;
+       tm_size = (off_t)bandsize * (off_t)nbands;
 
        if (state->total_size + tm_size < state->total_size) {
-               DBG_ERR("tmsize overflow: bandsize [%zu] nbands [%zu]\n",
+               DBG_ERR("tm total size overflow: bandsize [%zu] nbands [%zu]\n",
                        bandsize, nbands);
                return false;
        }