diff options
| author | Jeremy Allison <jra@samba.org> | 2013-07-10 17:10:17 -0700 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2013-08-05 12:49:17 +0200 |
| commit | c8d8bb257ac390c89c4238ed86dfef02750b6049 (patch) | |
| tree | bed9872045147e617d49d9af429e6e3e24dae1b8 | |
| parent | 6659f0164c6b8d7ad522bcd6c2c6748c3d9bca81 (diff) | |
| download | samba-c8d8bb257ac390c89c4238ed86dfef02750b6049.tar.gz samba-c8d8bb257ac390c89c4238ed86dfef02750b6049.tar.bz2 samba-c8d8bb257ac390c89c4238ed86dfef02750b6049.zip | |
Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server to loop with DOS.
Ensure we never wrap whilst adding client provided input.
Signed-off-by: Jeremy Allison <jra@samba.org>
| -rw-r--r-- | source3/smbd/nttrans.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index 800e2fd260..bcba29a3e8 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -990,7 +990,19 @@ struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t if (next_offset == 0) { break; } + + /* Integer wrap protection for the increment. */ + if (offset + next_offset < offset) { + break; + } + offset += next_offset; + + /* Integer wrap protection for while loop. */ + if (offset + 4 < offset) { + break; + } + } return ea_list_head; |