summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2005-03-22 17:48:41 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 10:56:12 -0500
commit09bb17511b3c5b32ab93ef37dbb451674bcc5a0b (patch)
treef3cb6fe8101dde7d9948d939e899e9d2885ad234
parentcf99ec82969f6d3c553472028bd9aa2112ef35d4 (diff)
downloadsamba-09bb17511b3c5b32ab93ef37dbb451674bcc5a0b.tar.gz
samba-09bb17511b3c5b32ab93ef37dbb451674bcc5a0b.tar.bz2
samba-09bb17511b3c5b32ab93ef37dbb451674bcc5a0b.zip
r5960: Integer wrap paranoia when reading EA buffers.
Jeremy. (This used to be commit e61f7a6b72fe6186a5a56f23f9133c5b1a49bb89)
-rw-r--r--source3/smbd/trans2.c27
1 files changed, 23 insertions, 4 deletions
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index ce04da2751..81c102a4ee 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -395,7 +395,11 @@ static struct ea_list *read_ea_name_list(TALLOC_CTX *ctx, const char *pdata, siz
unsigned int namelen = CVAL(pdata,offset);
offset++; /* Go past the namelen byte. */
- if (offset + namelen >= data_size) {
+
+ /* integer wrap paranioa. */
+ if ((offset + namelen < offset) || (offset + namelen < namelen) ||
+ (offset > data_size) || (namelen > data_size) ||
+ (offset + namelen >= data_size)) {
break;
}
/* Ensure the name is null terminated. */
@@ -444,6 +448,16 @@ static struct ea_list *read_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t d
namelen = CVAL(pdata,offset + 1);
val_len = SVAL(pdata,offset + 2);
+ /* integer wrap paranioa. */
+ if ((offset + namelen + 5 + val_len < offset) ||
+ (offset + namelen + 5 + val_len < namelen) ||
+ (offset + namelen + 5 + val_len < val_len) ||
+ (offset > data_size) ||
+ (namelen > data_size) ||
+ (offset + namelen >= data_size)) {
+ return NULL;
+ }
+
if (offset + 4 + namelen + 1 + val_len > data_size) {
return NULL;
}
@@ -473,7 +487,7 @@ static struct ea_list *read_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t d
DLIST_ADD_END(ea_list_head, eal, tmp);
- DEBUG(10,("read_ea_name_list: read ea name %s\n", eal->ea.name));
+ DEBUG(10,("read_ea_list: read ea name %s\n", eal->ea.name));
dump_data(10, eal->ea.value.data, eal->ea.value.length);
}
@@ -505,7 +519,7 @@ static size_t ea_list_size(struct ea_list *ealist)
/****************************************************************************
Return a union of EA's from a file list and a list of names.
The TALLOC context for the two lists *MUST* be identical as we steal
- memory from one list to another. JRA.
+ memory from one list to add to another. JRA.
****************************************************************************/
static struct ea_list *ea_list_union(struct ea_list *name_list, struct ea_list *file_list, size_t *total_ea_len)
@@ -2730,7 +2744,12 @@ static int call_trans2qfilepathinfo(connection_struct *conn, char *inbuf, char *
/* Pull any EA list from the data portion. */
if (info_level == SMB_INFO_QUERY_EAS_FROM_LIST) {
- uint32 ea_size = IVAL(pdata,0);
+ uint32 ea_size;
+
+ if (total_data < 4) {
+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+ ea_size = IVAL(pdata,0);
if (total_data > 0 && ea_size != total_data) {
DEBUG(4,("call_trans2qfilepathinfo: Rejecting EA request with incorrect \