diff options
author | Jeremy Allison <jra@samba.org> | 2004-02-10 02:21:38 +0000 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2004-02-10 02:21:38 +0000 |
commit | 57dacbe948e10797776eaf214eaf393983ebda55 (patch) | |
tree | a66135097d908813127edeed0cbb5852dca4d9d6 | |
parent | 53f924e2671d4b7ff486fa9d65ea33318a0dbd9d (diff) | |
download | samba-57dacbe948e10797776eaf214eaf393983ebda55.tar.gz samba-57dacbe948e10797776eaf214eaf393983ebda55.tar.bz2 samba-57dacbe948e10797776eaf214eaf393983ebda55.zip |
Fix for possible crash bug from Sebastian Krahmer (SuSE).
Jeremy.
(This used to be commit e275835b516ec2e319ad5a6943be007d34a55d75)
-rw-r--r-- | source3/libsmb/ntlmssp_parse.c | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/source3/libsmb/ntlmssp_parse.c b/source3/libsmb/ntlmssp_parse.c index 3444db0306..4b3043aec8 100644 --- a/source3/libsmb/ntlmssp_parse.c +++ b/source3/libsmb/ntlmssp_parse.c @@ -216,7 +216,9 @@ BOOL msrpc_parse(const DATA_BLOB *blob, /* if odd length and unicode */ return False; } - + if (blob->data + ptr < (uint8 *)ptr || blob->data + ptr < blob->data) + return False; + if (0 < len1) { pull_string(NULL, p, blob->data + ptr, sizeof(p), len1, @@ -241,7 +243,10 @@ BOOL msrpc_parse(const DATA_BLOB *blob, if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) { return False; } - + + if (blob->data + ptr < (uint8 *)ptr || blob->data + ptr < blob->data) + return False; + if (0 < len1) { pull_string(NULL, p, blob->data + ptr, sizeof(p), len1, @@ -266,6 +271,10 @@ BOOL msrpc_parse(const DATA_BLOB *blob, if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) { return False; } + + if (blob->data + ptr < (uint8 *)ptr || blob->data + ptr < blob->data) + return False; + *b = data_blob(blob->data + ptr, len1); } break; @@ -274,6 +283,9 @@ BOOL msrpc_parse(const DATA_BLOB *blob, len1 = va_arg(ap, unsigned); /* make sure its in the right format - be strict */ NEED_DATA(len1); + if (blob->data + head_ofs < (uint8 *)head_ofs || blob->data + head_ofs < blob->data) + return False; + *b = data_blob(blob->data + head_ofs, len1); head_ofs += len1; break; @@ -284,6 +296,10 @@ BOOL msrpc_parse(const DATA_BLOB *blob, break; case 'C': s = va_arg(ap, char *); + + if (blob->data + head_ofs < (uint8 *)head_ofs || blob->data + head_ofs < blob->data) + return False; + head_ofs += pull_string(NULL, p, blob->data+head_ofs, sizeof(p), blob->length - head_ofs, STR_ASCII|STR_TERMINATE); |