Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server...

author Jeremy Allison <jra@samba.org>

Thu, 11 Jul 2013 00:10:17 +0000 (17:10 -0700)

committer Karolin Seeger <kseeger@samba.org>

Mon, 5 Aug 2013 10:43:37 +0000 (12:43 +0200)
author Jeremy Allison <jra@samba.org>
Thu, 11 Jul 2013 00:10:17 +0000 (17:10 -0700)
committer Karolin Seeger <kseeger@samba.org>
Mon, 5 Aug 2013 10:43:37 +0000 (12:43 +0200)
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c

index ea9d417e7438b355eca627dc12305b4708c43754..5fc3a09784d86b734253b49e8512a42c3bcc1463 100644 (file)
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -989,7 +989,19 @@ struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t
                 if (next_offset == 0) {
                         break;
                 }
+
+               /* Integer wrap protection for the increment. */
+               if (offset + next_offset < offset) {
+                       break;
+               }
+
                 offset += next_offset;
+
+               /* Integer wrap protection for while loop. */
+               if (offset + 4 < offset) {
+                       break;
+               }
+
         }
  
         return ea_list_head;
author	Jeremy Allison <jra@samba.org>
	Thu, 11 Jul 2013 00:10:17 +0000 (17:10 -0700)
committer	Karolin Seeger <kseeger@samba.org>
	Mon, 5 Aug 2013 10:43:37 +0000 (12:43 +0200)