gensec: Add parinoia about integer wrapping

author: Andrew Bartlett <abartlet@samba.org> 2011-10-22 11:48:30 +1100
committer: Andrew Bartlett <abartlet@samba.org> 2011-10-28 13:10:28 +0200
commit: 7cf00e3231da1808a5ad1adf8fbc319846eacabe (patch)
tree: 298c33cc656daa8c2f0337b4c54606c719baee55 /auth/ntlmssp
parent: 1bc787d27102df0442122139aa290c17909d2dc1 (diff)
download: samba-7cf00e3231da1808a5ad1adf8fbc319846eacabe.tar.gz
samba-7cf00e3231da1808a5ad1adf8fbc319846eacabe.tar.bz2
samba-7cf00e3231da1808a5ad1adf8fbc319846eacabe.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/auth/ntlmssp/ntlmssp_sign.c b/auth/ntlmssp/ntlmssp_sign.c
index a5c57d8423..4d07a81e44 100644
--- a/auth/ntlmssp/ntlmssp_sign.c
+++ b/auth/ntlmssp/ntlmssp_sign.c
@@ -402,6 +402,10 @@ NTSTATUS ntlmssp_wrap(struct ntlmssp_state *ntlmssp_state,
 	DATA_BLOB sig;
 
 	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
+		if (in->length + NTLMSSP_SIG_SIZE < in->length) {
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+
 		*out = data_blob_talloc(out_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE);
 		if (!out->data) {
 			return NT_STATUS_NO_MEMORY;
@@ -422,6 +426,9 @@ NTSTATUS ntlmssp_wrap(struct ntlmssp_state *ntlmssp_state,
 		return nt_status;
 
 	} else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
+		if (in->length + NTLMSSP_SIG_SIZE < in->length) {
+			return NT_STATUS_INVALID_PARAMETER;
+		}
 
 		*out = data_blob_talloc(out_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE);
 		if (!out->data) {
author	Andrew Bartlett <abartlet@samba.org>	2011-10-22 11:48:30 +1100
committer	Andrew Bartlett <abartlet@samba.org>	2011-10-28 13:10:28 +0200
commit	7cf00e3231da1808a5ad1adf8fbc319846eacabe (patch)
tree	298c33cc656daa8c2f0337b4c54606c719baee55 /auth/ntlmssp
parent	1bc787d27102df0442122139aa290c17909d2dc1 (diff)
download	samba-7cf00e3231da1808a5ad1adf8fbc319846eacabe.tar.gz samba-7cf00e3231da1808a5ad1adf8fbc319846eacabe.tar.bz2 samba-7cf00e3231da1808a5ad1adf8fbc319846eacabe.zip