summaryrefslogtreecommitdiff
path: root/lib/tdb/common
diff options
context:
space:
mode:
authorVolker Lendecke <vl@samba.org>2013-05-30 15:54:58 +0200
committerVolker Lendecke <vl@samba.org>2013-06-03 10:21:32 +0200
commitd9b4f19e73f241a1ccf64f04c3cc28d481550bb7 (patch)
tree7ada516e8dc98f6f0856112ccd87122a15f4b36e /lib/tdb/common
parent8b215df4454883b3733733af4f49f87eb0a2a46a (diff)
downloadsamba-d9b4f19e73f241a1ccf64f04c3cc28d481550bb7.tar.gz
samba-d9b4f19e73f241a1ccf64f04c3cc28d481550bb7.tar.bz2
samba-d9b4f19e73f241a1ccf64f04c3cc28d481550bb7.zip
tdb: Make tdb_recovery_allocate overflow-safe
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Rusty Russell <rusty@rustcorp.com.au>
Diffstat (limited to 'lib/tdb/common')
-rw-r--r--lib/tdb/common/transaction.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/lib/tdb/common/transaction.c b/lib/tdb/common/transaction.c
index 080d0586c3..a2c3bbdff3 100644
--- a/lib/tdb/common/transaction.c
+++ b/lib/tdb/common/transaction.c
@@ -762,7 +762,12 @@ static int tdb_recovery_allocate(struct tdb_context *tdb,
tdb->page_size)
- sizeof(rec);
- new_end = recovery_head + sizeof(rec) + *recovery_max_size;
+ if (!tdb_add_off_t(recovery_head, sizeof(rec), &new_end) ||
+ !tdb_add_off_t(new_end, *recovery_max_size, &new_end)) {
+ TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_recovery_allocate: "
+ "overflow recovery area\n"));
+ return -1;
+ }
if (methods->tdb_expand_file(tdb, tdb->transaction->old_map_size,
new_end - tdb->transaction->old_map_size)