diff options
author | Jeremy Allison <jra@samba.org> | 2005-03-22 17:48:41 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 10:56:12 -0500 |
commit | 09bb17511b3c5b32ab93ef37dbb451674bcc5a0b (patch) | |
tree | f3cb6fe8101dde7d9948d939e899e9d2885ad234 | |
parent | cf99ec82969f6d3c553472028bd9aa2112ef35d4 (diff) | |
download | samba-09bb17511b3c5b32ab93ef37dbb451674bcc5a0b.tar.gz samba-09bb17511b3c5b32ab93ef37dbb451674bcc5a0b.tar.bz2 samba-09bb17511b3c5b32ab93ef37dbb451674bcc5a0b.zip |
r5960: Integer wrap paranoia when reading EA buffers.
Jeremy.
(This used to be commit e61f7a6b72fe6186a5a56f23f9133c5b1a49bb89)
-rw-r--r-- | source3/smbd/trans2.c | 27 |
1 files changed, 23 insertions, 4 deletions
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index ce04da2751..81c102a4ee 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -395,7 +395,11 @@ static struct ea_list *read_ea_name_list(TALLOC_CTX *ctx, const char *pdata, siz unsigned int namelen = CVAL(pdata,offset); offset++; /* Go past the namelen byte. */ - if (offset + namelen >= data_size) { + + /* integer wrap paranioa. */ + if ((offset + namelen < offset) || (offset + namelen < namelen) || + (offset > data_size) || (namelen > data_size) || + (offset + namelen >= data_size)) { break; } /* Ensure the name is null terminated. */ @@ -444,6 +448,16 @@ static struct ea_list *read_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t d namelen = CVAL(pdata,offset + 1); val_len = SVAL(pdata,offset + 2); + /* integer wrap paranioa. */ + if ((offset + namelen + 5 + val_len < offset) || + (offset + namelen + 5 + val_len < namelen) || + (offset + namelen + 5 + val_len < val_len) || + (offset > data_size) || + (namelen > data_size) || + (offset + namelen >= data_size)) { + return NULL; + } + if (offset + 4 + namelen + 1 + val_len > data_size) { return NULL; } @@ -473,7 +487,7 @@ static struct ea_list *read_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t d DLIST_ADD_END(ea_list_head, eal, tmp); - DEBUG(10,("read_ea_name_list: read ea name %s\n", eal->ea.name)); + DEBUG(10,("read_ea_list: read ea name %s\n", eal->ea.name)); dump_data(10, eal->ea.value.data, eal->ea.value.length); } @@ -505,7 +519,7 @@ static size_t ea_list_size(struct ea_list *ealist) /**************************************************************************** Return a union of EA's from a file list and a list of names. The TALLOC context for the two lists *MUST* be identical as we steal - memory from one list to another. JRA. + memory from one list to add to another. JRA. ****************************************************************************/ static struct ea_list *ea_list_union(struct ea_list *name_list, struct ea_list *file_list, size_t *total_ea_len) @@ -2730,7 +2744,12 @@ static int call_trans2qfilepathinfo(connection_struct *conn, char *inbuf, char * /* Pull any EA list from the data portion. */ if (info_level == SMB_INFO_QUERY_EAS_FROM_LIST) { - uint32 ea_size = IVAL(pdata,0); + uint32 ea_size; + + if (total_data < 4) { + return ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + ea_size = IVAL(pdata,0); if (total_data > 0 && ea_size != total_data) { DEBUG(4,("call_trans2qfilepathinfo: Rejecting EA request with incorrect \ |