From 7cf00e3231da1808a5ad1adf8fbc319846eacabe Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Sat, 22 Oct 2011 11:48:30 +1100
Subject: [PATCH] gensec: Add parinoia about integer wrapping

---
 auth/ntlmssp/ntlmssp_sign.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/auth/ntlmssp/ntlmssp_sign.c b/auth/ntlmssp/ntlmssp_sign.c
index a5c57d8423f..4d07a81e44b 100644
--- a/auth/ntlmssp/ntlmssp_sign.c
+++ b/auth/ntlmssp/ntlmssp_sign.c
@@ -402,6 +402,10 @@ NTSTATUS ntlmssp_wrap(struct ntlmssp_state *ntlmssp_state,
 	DATA_BLOB sig;
 
 	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
+		if (in->length + NTLMSSP_SIG_SIZE < in->length) {
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+
 		*out = data_blob_talloc(out_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE);
 		if (!out->data) {
 			return NT_STATUS_NO_MEMORY;
@@ -422,6 +426,9 @@ NTSTATUS ntlmssp_wrap(struct ntlmssp_state *ntlmssp_state,
 		return nt_status;
 
 	} else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
+		if (in->length + NTLMSSP_SIG_SIZE < in->length) {
+			return NT_STATUS_INVALID_PARAMETER;
+		}
 
 		*out = data_blob_talloc(out_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE);
 		if (!out->data) {
-- 
2.34.1