summaryrefslogtreecommitdiff
path: root/source3/locking
diff options
context:
space:
mode:
authorVolker Lendecke <vl@samba.org>2013-09-11 12:04:58 +0000
committerJeremy Allison <jra@samba.org>2013-09-12 03:26:45 +0200
commit8f411425f6649422cb5ab94ec6ca392a02ec5ee5 (patch)
tree3c58f6eb969db25f47634e233872d4d4e9d77ec8 /source3/locking
parent776db7d38597a29536e4127837ffa3b4f4ce35ab (diff)
downloadsamba-8f411425f6649422cb5ab94ec6ca392a02ec5ee5.tar.gz
samba-8f411425f6649422cb5ab94ec6ca392a02ec5ee5.tar.bz2
samba-8f411425f6649422cb5ab94ec6ca392a02ec5ee5.zip
smbd: Properly protect against invalid lock data
If someone messes with brlock.tdb and inserts an invalid record length, this will lead to memcpy overwriting a few bytes behind malloc'ed data. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Sep 12 03:26:45 CEST 2013 on sn-devel-104
Diffstat (limited to 'source3/locking')
-rw-r--r--source3/locking/brlock.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/source3/locking/brlock.c b/source3/locking/brlock.c
index ac54767a48..adbfc5fb65 100644
--- a/source3/locking/brlock.c
+++ b/source3/locking/brlock.c
@@ -1976,6 +1976,12 @@ static struct byte_range_lock *brl_get_locks_internal(TALLOC_CTX *mem_ctx,
data = dbwrap_record_get_value(br_lck->record);
}
+ if ((data.dsize % sizeof(struct lock_struct)) != 0) {
+ DEBUG(3, ("Got invalid brlock data\n"));
+ TALLOC_FREE(br_lck);
+ return NULL;
+ }
+
br_lck->read_only = do_read_only;
br_lck->lock_data = NULL;