tdb: Make tdb_recovery_allocate overflow-safe

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Rusty Russell <rusty@rustcorp.com.au>

diff --git a/lib/tdb/common/transaction.c b/lib/tdb/common/transaction.c
index 080d0586c36b35fbbf89f82b0b2415c820b76eb2..a2c3bbdff375b48f74107844cc320d7a9fa79e7c 100644 (file)
--- a/lib/tdb/common/transaction.c
+++ b/lib/tdb/common/transaction.c
@@ -762,7 +762,12 @@ static int tdb_recovery_allocate(struct tdb_context *tdb,
                                               tdb->page_size)
                - sizeof(rec);
 
-       new_end = recovery_head + sizeof(rec) + *recovery_max_size;
+       if (!tdb_add_off_t(recovery_head, sizeof(rec), &new_end) ||
+           !tdb_add_off_t(new_end, *recovery_max_size, &new_end)) {
+               TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_recovery_allocate: "
+                        "overflow recovery area\n"));
+               return -1;
+       }
 
        if (methods->tdb_expand_file(tdb, tdb->transaction->old_map_size,
                                     new_end - tdb->transaction->old_map_size)