summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2011-10-22 11:48:30 +1100
committerAndrew Bartlett <abartlet@samba.org>2011-10-28 13:10:28 +0200
commit7cf00e3231da1808a5ad1adf8fbc319846eacabe (patch)
tree298c33cc656daa8c2f0337b4c54606c719baee55
parent1bc787d27102df0442122139aa290c17909d2dc1 (diff)
downloadsamba-7cf00e3231da1808a5ad1adf8fbc319846eacabe.tar.gz
samba-7cf00e3231da1808a5ad1adf8fbc319846eacabe.tar.bz2
samba-7cf00e3231da1808a5ad1adf8fbc319846eacabe.zip
gensec: Add parinoia about integer wrapping
-rw-r--r--auth/ntlmssp/ntlmssp_sign.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/auth/ntlmssp/ntlmssp_sign.c b/auth/ntlmssp/ntlmssp_sign.c
index a5c57d8423..4d07a81e44 100644
--- a/auth/ntlmssp/ntlmssp_sign.c
+++ b/auth/ntlmssp/ntlmssp_sign.c
@@ -402,6 +402,10 @@ NTSTATUS ntlmssp_wrap(struct ntlmssp_state *ntlmssp_state,
DATA_BLOB sig;
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
+ if (in->length + NTLMSSP_SIG_SIZE < in->length) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
*out = data_blob_talloc(out_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE);
if (!out->data) {
return NT_STATUS_NO_MEMORY;
@@ -422,6 +426,9 @@ NTSTATUS ntlmssp_wrap(struct ntlmssp_state *ntlmssp_state,
return nt_status;
} else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
+ if (in->length + NTLMSSP_SIG_SIZE < in->length) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
*out = data_blob_talloc(out_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE);
if (!out->data) {