summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2004-02-10 02:21:41 +0000
committerJeremy Allison <jra@samba.org>2004-02-10 02:21:41 +0000
commit1eaa54092b135aeef619a4ce998f733ea796dd47 (patch)
treee2ed05dd36de2f8f390dd3b55d86df4cca4e140e
parent00be82c1c89d210cdc269e74356698cbd23d3a32 (diff)
downloadsamba-1eaa54092b135aeef619a4ce998f733ea796dd47.tar.gz
samba-1eaa54092b135aeef619a4ce998f733ea796dd47.tar.bz2
samba-1eaa54092b135aeef619a4ce998f733ea796dd47.zip
Fix for possible crash bug from Sebastian Krahmer (SuSE).
Jeremy. (This used to be commit e7a25c1e2ea2ff980f4aecf94f65563316976997)
-rw-r--r--source3/libsmb/ntlmssp_parse.c20
1 files changed, 18 insertions, 2 deletions
diff --git a/source3/libsmb/ntlmssp_parse.c b/source3/libsmb/ntlmssp_parse.c
index 3444db0306..4b3043aec8 100644
--- a/source3/libsmb/ntlmssp_parse.c
+++ b/source3/libsmb/ntlmssp_parse.c
@@ -216,7 +216,9 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
/* if odd length and unicode */
return False;
}
-
+ if (blob->data + ptr < (uint8 *)ptr || blob->data + ptr < blob->data)
+ return False;
+
if (0 < len1) {
pull_string(NULL, p, blob->data + ptr, sizeof(p),
len1,
@@ -241,7 +243,10 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) {
return False;
}
-
+
+ if (blob->data + ptr < (uint8 *)ptr || blob->data + ptr < blob->data)
+ return False;
+
if (0 < len1) {
pull_string(NULL, p, blob->data + ptr, sizeof(p),
len1,
@@ -266,6 +271,10 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) {
return False;
}
+
+ if (blob->data + ptr < (uint8 *)ptr || blob->data + ptr < blob->data)
+ return False;
+
*b = data_blob(blob->data + ptr, len1);
}
break;
@@ -274,6 +283,9 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
len1 = va_arg(ap, unsigned);
/* make sure its in the right format - be strict */
NEED_DATA(len1);
+ if (blob->data + head_ofs < (uint8 *)head_ofs || blob->data + head_ofs < blob->data)
+ return False;
+
*b = data_blob(blob->data + head_ofs, len1);
head_ofs += len1;
break;
@@ -284,6 +296,10 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
break;
case 'C':
s = va_arg(ap, char *);
+
+ if (blob->data + head_ofs < (uint8 *)head_ofs || blob->data + head_ofs < blob->data)
+ return False;
+
head_ofs += pull_string(NULL, p, blob->data+head_ofs, sizeof(p),
blob->length - head_ofs,
STR_ASCII|STR_TERMINATE);