diff options
author | Volker Lendecke <vl@samba.org> | 2013-09-11 12:04:58 +0000 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2013-09-12 03:26:45 +0200 |
commit | 8f411425f6649422cb5ab94ec6ca392a02ec5ee5 (patch) | |
tree | 3c58f6eb969db25f47634e233872d4d4e9d77ec8 /source3/locking | |
parent | 776db7d38597a29536e4127837ffa3b4f4ce35ab (diff) | |
download | samba-8f411425f6649422cb5ab94ec6ca392a02ec5ee5.tar.gz samba-8f411425f6649422cb5ab94ec6ca392a02ec5ee5.tar.bz2 samba-8f411425f6649422cb5ab94ec6ca392a02ec5ee5.zip |
smbd: Properly protect against invalid lock data
If someone messes with brlock.tdb and inserts an invalid record length,
this will lead to memcpy overwriting a few bytes behind malloc'ed data.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Sep 12 03:26:45 CEST 2013 on sn-devel-104
Diffstat (limited to 'source3/locking')
-rw-r--r-- | source3/locking/brlock.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/source3/locking/brlock.c b/source3/locking/brlock.c index ac54767a48..adbfc5fb65 100644 --- a/source3/locking/brlock.c +++ b/source3/locking/brlock.c @@ -1976,6 +1976,12 @@ static struct byte_range_lock *brl_get_locks_internal(TALLOC_CTX *mem_ctx, data = dbwrap_record_get_value(br_lck->record); } + if ((data.dsize % sizeof(struct lock_struct)) != 0) { + DEBUG(3, ("Got invalid brlock data\n")); + TALLOC_FREE(br_lck); + return NULL; + } + br_lck->read_only = do_read_only; br_lck->lock_data = NULL; |