Fixes to check for wraps which could cause coredumps.

Jeremy.
(This used to be commit ad06edd1bb58cc5e2c38a364b1af96a933b770af)

2 files changed, 4 insertions, 5 deletions

diff --git a/source3/libsmb/clilist.c b/source3/libsmb/clilist.c
index 7822987ada..2c1831ae99 100644
--- a/source3/libsmb/clilist.c
+++ b/source3/libsmb/clilist.c
@@ -82,7 +82,7 @@ static int interpret_long_filename(struct cli_state *cli,
 			
 		case 260: /* NT uses this, but also accepts 2 */
 		{
-			int namelen, slen;
+			size_t namelen, slen;
 			p += 4; /* next entry offset */
 			p += 4; /* fileindex */
 				
diff --git a/source3/libsmb/ntlmssp_parse.c b/source3/libsmb/ntlmssp_parse.c
index 60cb4ab04a..b136dacf5a 100644
--- a/source3/libsmb/ntlmssp_parse.c
+++ b/source3/libsmb/ntlmssp_parse.c
@@ -226,7 +226,7 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
 				*ps = smb_xstrdup("");
 			} else {
 				/* make sure its in the right format - be strict */
-				if (len1 != len2 || ptr + len1 > blob->length) {
+				if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) {
 					return False;
 				}
 				if (len1 & 1) {
@@ -255,7 +255,7 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
 			if (len1 == 0 && len2 == 0) {
 				*ps = smb_xstrdup("");
 			} else {
-				if (len1 != len2 || ptr + len1 > blob->length) {
+				if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) {
 					return False;
 				}
 				
@@ -280,7 +280,7 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
 				*b = data_blob(NULL, 0);
 			} else {
 				/* make sure its in the right format - be strict */
-				if (len1 != len2 || ptr + len1 > blob->length) {
+				if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) {
 					return False;
 				}
 				*b = data_blob(blob->data + ptr, len1);
@@ -314,4 +314,3 @@ BOOL msrpc_parse(const DATA_BLOB *blob,
 
 	return True;
 }
-