diff options
| author | Jeremy Allison <jra@samba.org> | 2004-02-10 02:21:41 +0000 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2004-02-10 02:21:41 +0000 |
| commit | 1eaa54092b135aeef619a4ce998f733ea796dd47 (patch) | |
| tree | e2ed05dd36de2f8f390dd3b55d86df4cca4e140e /source3/libsmb | |
| parent | 00be82c1c89d210cdc269e74356698cbd23d3a32 (diff) | |
| download | samba-1eaa54092b135aeef619a4ce998f733ea796dd47.tar.gz samba-1eaa54092b135aeef619a4ce998f733ea796dd47.tar.bz2 samba-1eaa54092b135aeef619a4ce998f733ea796dd47.zip | |
Fix for possible crash bug from Sebastian Krahmer (SuSE).
Jeremy.
(This used to be commit e7a25c1e2ea2ff980f4aecf94f65563316976997)
Diffstat (limited to 'source3/libsmb')
| -rw-r--r-- | source3/libsmb/ntlmssp_parse.c | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/source3/libsmb/ntlmssp_parse.c b/source3/libsmb/ntlmssp_parse.c index 3444db0306..4b3043aec8 100644 --- a/source3/libsmb/ntlmssp_parse.c +++ b/source3/libsmb/ntlmssp_parse.c @@ -216,7 +216,9 @@ BOOL msrpc_parse(const DATA_BLOB *blob, /* if odd length and unicode */ return False; } - + if (blob->data + ptr < (uint8 *)ptr || blob->data + ptr < blob->data) + return False; + if (0 < len1) { pull_string(NULL, p, blob->data + ptr, sizeof(p), len1, @@ -241,7 +243,10 @@ BOOL msrpc_parse(const DATA_BLOB *blob, if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) { return False; } - + + if (blob->data + ptr < (uint8 *)ptr || blob->data + ptr < blob->data) + return False; + if (0 < len1) { pull_string(NULL, p, blob->data + ptr, sizeof(p), len1, @@ -266,6 +271,10 @@ BOOL msrpc_parse(const DATA_BLOB *blob, if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) { return False; } + + if (blob->data + ptr < (uint8 *)ptr || blob->data + ptr < blob->data) + return False; + *b = data_blob(blob->data + ptr, len1); } break; @@ -274,6 +283,9 @@ BOOL msrpc_parse(const DATA_BLOB *blob, len1 = va_arg(ap, unsigned); /* make sure its in the right format - be strict */ NEED_DATA(len1); + if (blob->data + head_ofs < (uint8 *)head_ofs || blob->data + head_ofs < blob->data) + return False; + *b = data_blob(blob->data + head_ofs, len1); head_ofs += len1; break; @@ -284,6 +296,10 @@ BOOL msrpc_parse(const DATA_BLOB *blob, break; case 'C': s = va_arg(ap, char *); + + if (blob->data + head_ofs < (uint8 *)head_ofs || blob->data + head_ofs < blob->data) + return False; + head_ofs += pull_string(NULL, p, blob->data+head_ofs, sizeof(p), blob->length - head_ofs, STR_ASCII|STR_TERMINATE); |