smbd: Properly protect against invalid lock data

If someone messes with brlock.tdb and inserts an invalid record length, this will lead to memcpy overwriting a few bytes behind malloc'ed data. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Sep 12 03:26:45 CEST 2013 on sn-devel-104
author: Volker Lendecke <vl@samba.org> 2013-09-11 12:04:58 +0000
committer: Jeremy Allison <jra@samba.org> 2013-09-12 03:26:45 +0200
commit: 8f411425f6649422cb5ab94ec6ca392a02ec5ee5 (patch)
tree: 3c58f6eb969db25f47634e233872d4d4e9d77ec8 /source3/locking
parent: 776db7d38597a29536e4127837ffa3b4f4ce35ab (diff)
download: samba-8f411425f6649422cb5ab94ec6ca392a02ec5ee5.tar.gz
samba-8f411425f6649422cb5ab94ec6ca392a02ec5ee5.tar.bz2
samba-8f411425f6649422cb5ab94ec6ca392a02ec5ee5.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/source3/locking/brlock.c b/source3/locking/brlock.c
index ac54767a48..adbfc5fb65 100644
--- a/source3/locking/brlock.c
+++ b/source3/locking/brlock.c
@@ -1976,6 +1976,12 @@ static struct byte_range_lock *brl_get_locks_internal(TALLOC_CTX *mem_ctx,
 		data = dbwrap_record_get_value(br_lck->record);
 	}
 
+	if ((data.dsize % sizeof(struct lock_struct)) != 0) {
+		DEBUG(3, ("Got invalid brlock data\n"));
+		TALLOC_FREE(br_lck);
+		return NULL;
+	}
+
 	br_lck->read_only = do_read_only;
 	br_lck->lock_data = NULL;
author	Volker Lendecke <vl@samba.org>	2013-09-11 12:04:58 +0000
committer	Jeremy Allison <jra@samba.org>	2013-09-12 03:26:45 +0200
commit	8f411425f6649422cb5ab94ec6ca392a02ec5ee5 (patch)
tree	3c58f6eb969db25f47634e233872d4d4e9d77ec8 /source3/locking
parent	776db7d38597a29536e4127837ffa3b4f4ce35ab (diff)
download	samba-8f411425f6649422cb5ab94ec6ca392a02ec5ee5.tar.gz samba-8f411425f6649422cb5ab94ec6ca392a02ec5ee5.tar.bz2 samba-8f411425f6649422cb5ab94ec6ca392a02ec5ee5.zip