libsmb: Add overflow protection to symlink_reparse_buffer_marshall()

author Volker Lendecke <vl@samba.org>

Thu, 11 Jun 2020 12:42:49 +0000 (14:42 +0200)

committer Jeremy Allison <jra@samba.org>

Mon, 15 Jun 2020 17:59:39 +0000 (17:59 +0000)
author Volker Lendecke <vl@samba.org>
Thu, 11 Jun 2020 12:42:49 +0000 (14:42 +0200)
committer Jeremy Allison <jra@samba.org>
Mon, 15 Jun 2020 17:59:39 +0000 (17:59 +0000)
diff --git a/source3/libsmb/reparse_symlink.c b/source3/libsmb/reparse_symlink.c

index f981b5fcce7242743a35edbb93cd46d00e46d562..b0b51814a555ce6ea56cb2a611e3046b3bc34177 100644 (file)
--- a/source3/libsmb/reparse_symlink.c
+++ b/source3/libsmb/reparse_symlink.c
@@ -53,7 +53,15 @@ bool symlink_reparse_buffer_marshall(
                                    &print_utf16, &print_len)) {
                 goto fail;
         }
-       dst_len = 20 + subst_len + print_len;
+
+       dst_len = subst_len + 20;
+       if (dst_len < 20) {
+               goto fail;
+       }
+       dst_len += print_len;
+       if (dst_len < print_len) {
+               goto fail;
+       }
         dst = talloc_array(mem_ctx, uint8_t, dst_len);
         if (dst == NULL) {
                 goto fail;
author	Volker Lendecke <vl@samba.org>
	Thu, 11 Jun 2020 12:42:49 +0000 (14:42 +0200)
committer	Jeremy Allison <jra@samba.org>
	Mon, 15 Jun 2020 17:59:39 +0000 (17:59 +0000)