registry: Add error checks to regdb_fetch_keys_internal

author Volker Lendecke <vl@samba.org>

Tue, 2 Oct 2018 11:16:04 +0000 (13:16 +0200)

committer Jeremy Allison <jra@samba.org>

Mon, 8 Oct 2018 20:17:09 +0000 (22:17 +0200)
author Volker Lendecke <vl@samba.org>
Tue, 2 Oct 2018 11:16:04 +0000 (13:16 +0200)
committer Jeremy Allison <jra@samba.org>
Mon, 8 Oct 2018 20:17:09 +0000 (22:17 +0200)
diff --git a/source3/registry/reg_backend_db.c b/source3/registry/reg_backend_db.c

index aa97d60abecffb845a6f4df229099ef7a7690534..a0db5eab9ceeca394cc942166c5ef027dff7f188 100644 (file)
--- a/source3/registry/reg_backend_db.c
+++ b/source3/registry/reg_backend_db.c
@@ -1784,7 +1784,23 @@ static WERROR regdb_fetch_keys_internal(struct db_context *db, const char *key,
         }
  
         for (i=0; i<num_items; i++) {
-               len += tdb_unpack(buf+len, buflen-len, "f", subkeyname);
+               int this_len;
+
+               this_len = tdb_unpack(buf+len, buflen-len, "f", subkeyname);
+               if (this_len == -1) {
+                       DBG_WARNING("Invalid registry data, "
+                                   "tdb_unpack failed\n");
+                       werr = WERR_INTERNAL_DB_CORRUPTION;
+                       goto done;
+               }
+               len += this_len;
+               if (len < this_len) {
+                       DBG_WARNING("Invalid registry data, "
+                                   "integer overflow\n");
+                       werr = WERR_INTERNAL_DB_CORRUPTION;
+                       goto done;
+               }
+
                 werr = regsubkey_ctr_addkey(ctr, subkeyname);
                 if (!W_ERROR_IS_OK(werr)) {
                         DEBUG(5, ("regdb_fetch_keys: regsubkey_ctr_addkey "
author	Volker Lendecke <vl@samba.org>
	Tue, 2 Oct 2018 11:16:04 +0000 (13:16 +0200)
committer	Jeremy Allison <jra@samba.org>
	Mon, 8 Oct 2018 20:17:09 +0000 (22:17 +0200)