summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2013-07-10 17:10:17 -0700
committerKarolin Seeger <kseeger@samba.org>2013-08-05 12:49:17 +0200
commitc8d8bb257ac390c89c4238ed86dfef02750b6049 (patch)
treebed9872045147e617d49d9af429e6e3e24dae1b8 /source3
parent6659f0164c6b8d7ad522bcd6c2c6748c3d9bca81 (diff)
downloadsamba-c8d8bb257ac390c89c4238ed86dfef02750b6049.tar.gz
samba-c8d8bb257ac390c89c4238ed86dfef02750b6049.tar.bz2
samba-c8d8bb257ac390c89c4238ed86dfef02750b6049.zip
Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server to loop with DOS.
Ensure we never wrap whilst adding client provided input. Signed-off-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'source3')
-rw-r--r--source3/smbd/nttrans.c12
1 files changed, 12 insertions, 0 deletions
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 800e2fd260..bcba29a3e8 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -990,7 +990,19 @@ struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t
if (next_offset == 0) {
break;
}
+
+ /* Integer wrap protection for the increment. */
+ if (offset + next_offset < offset) {
+ break;
+ }
+
offset += next_offset;
+
+ /* Integer wrap protection for while loop. */
+ if (offset + 4 < offset) {
+ break;
+ }
+
}
return ea_list_head;