summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2004-02-10 02:21:38 +0000
committerJeremy Allison <jra@samba.org>2004-02-10 02:21:38 +0000
commit57dacbe948e10797776eaf214eaf393983ebda55 (patch)
treea66135097d908813127edeed0cbb5852dca4d9d6
parent53f924e2671d4b7ff486fa9d65ea33318a0dbd9d (diff)
downloadsamba-57dacbe948e10797776eaf214eaf393983ebda55.tar.gz
samba-57dacbe948e10797776eaf214eaf393983ebda55.tar.bz2
samba-57dacbe948e10797776eaf214eaf393983ebda55.zip
Fix for possible crash bug from Sebastian Krahmer (SuSE).
Jeremy. (This used to be commit e275835b516ec2e319ad5a6943be007d34a55d75)
-rw-r--r--source3/libsmb/ntlmssp_parse.c20
1 files changed, 18 insertions, 2 deletions
diff --git a/source3/libsmb/ntlmssp_parse.c b/source3/libsmb/ntlmssp_parse.c
index 3444db0306..4b3043aec8 100644
--- a/source3/libsmb/ntlmssp_parse.c
+++ b/source3/libsmb/ntlmssp_parse.c
@@ -216,7 +216,9 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
/* if odd length and unicode */
return False;
}
-
+ if (blob->data + ptr < (uint8 *)ptr || blob->data + ptr < blob->data)
+ return False;
+
if (0 < len1) {
pull_string(NULL, p, blob->data + ptr, sizeof(p),
len1,
@@ -241,7 +243,10 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) {
return False;
}
-
+
+ if (blob->data + ptr < (uint8 *)ptr || blob->data + ptr < blob->data)
+ return False;
+
if (0 < len1) {
pull_string(NULL, p, blob->data + ptr, sizeof(p),
len1,
@@ -266,6 +271,10 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) {
return False;
}
+
+ if (blob->data + ptr < (uint8 *)ptr || blob->data + ptr < blob->data)
+ return False;
+
*b = data_blob(blob->data + ptr, len1);
}
break;
@@ -274,6 +283,9 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
len1 = va_arg(ap, unsigned);
/* make sure its in the right format - be strict */
NEED_DATA(len1);
+ if (blob->data + head_ofs < (uint8 *)head_ofs || blob->data + head_ofs < blob->data)
+ return False;
+
*b = data_blob(blob->data + head_ofs, len1);
head_ofs += len1;
break;
@@ -284,6 +296,10 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
break;
case 'C':
s = va_arg(ap, char *);
+
+ if (blob->data + head_ofs < (uint8 *)head_ofs || blob->data + head_ofs < blob->data)
+ return False;
+
head_ofs += pull_string(NULL, p, blob->data+head_ofs, sizeof(p),
blob->length - head_ofs,
STR_ASCII|STR_TERMINATE);