git.samba.org
/
samba.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
b4bfcdf
)
Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server...
author
Jeremy Allison
<jra@samba.org>
Thu, 11 Jul 2013 16:36:01 +0000
(09:36 -0700)
committer
Karolin Seeger
<kseeger@samba.org>
Fri, 2 Aug 2013 18:02:34 +0000
(20:02 +0200)
Fix client-side parsing also. Found by David Disseldorp <ddiss@suse.de>
CVE-2013-4124
Signed-off-by: Jeremy Allison <jra@samba.org>
source4/libcli/raw/raweas.c
patch
|
blob
|
history
diff --git
a/source4/libcli/raw/raweas.c
b/source4/libcli/raw/raweas.c
index 5f06e7001d8517fea8dc6d248e36fb7149564e46..b626b316d28d1d9d29915ee6d2d3efdc776b636f 100644
(file)
--- a/
source4/libcli/raw/raweas.c
+++ b/
source4/libcli/raw/raweas.c
@@
-243,9
+243,12
@@
NTSTATUS ea_pull_list_chained(const DATA_BLOB *blob,
return NT_STATUS_INVALID_PARAMETER;
}
- ofs += next_ofs;
+ if (ofs + next_ofs < ofs) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
- if (ofs+4 > blob->length) {
+ ofs += next_ofs;
+ if (ofs+4 > blob->length || ofs+4 < ofs) {
return NT_STATUS_INVALID_PARAMETER;
}
n++;