git.samba.org
/
nivanova
/
samba-autobuild
/
.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
6659f01
)
Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server...
author
Jeremy Allison
<jra@samba.org>
Thu, 11 Jul 2013 00:10:17 +0000
(17:10 -0700)
committer
Karolin Seeger
<kseeger@samba.org>
Mon, 5 Aug 2013 10:49:17 +0000
(12:49 +0200)
Ensure we never wrap whilst adding client provided input.
Signed-off-by: Jeremy Allison <jra@samba.org>
source3/smbd/nttrans.c
patch
|
blob
|
history
diff --git
a/source3/smbd/nttrans.c
b/source3/smbd/nttrans.c
index 800e2fd260be334479ca6c4d57d2df69eec2479c..bcba29a3e899c88bd0f301451ecbd9680e37fc9d 100644
(file)
--- a/
source3/smbd/nttrans.c
+++ b/
source3/smbd/nttrans.c
@@
-990,7
+990,19
@@
struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t
if (next_offset == 0) {
break;
}
+
+ /* Integer wrap protection for the increment. */
+ if (offset + next_offset < offset) {
+ break;
+ }
+
offset += next_offset;
+
+ /* Integer wrap protection for while loop. */
+ if (offset + 4 < offset) {
+ break;
+ }
+
}
return ea_list_head;