summaryrefslogtreecommitdiff
path: root/source4/libcli/raw
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2013-07-11 09:36:01 -0700
committerKarolin Seeger <kseeger@samba.org>2013-08-05 14:39:04 +0200
commitc4cba824d9e4bb31e1b6a901e994ffdfd3ad522e (patch)
tree0f0251e281f64a90d48348a9a758429b67bff187 /source4/libcli/raw
parentc8d8bb257ac390c89c4238ed86dfef02750b6049 (diff)
downloadsamba-c4cba824d9e4bb31e1b6a901e994ffdfd3ad522e.tar.gz
samba-c4cba824d9e4bb31e1b6a901e994ffdfd3ad522e.tar.bz2
samba-c4cba824d9e4bb31e1b6a901e994ffdfd3ad522e.zip
Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server to loop with DOS.
Fix client-side parsing also. Found by David Disseldorp <ddiss@suse.de> Signed-off-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Karolin Seeger <kseeger@samba.org> Autobuild-Date(master): Mon Aug 5 14:39:04 CEST 2013 on sn-devel-104
Diffstat (limited to 'source4/libcli/raw')
-rw-r--r--source4/libcli/raw/raweas.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/source4/libcli/raw/raweas.c b/source4/libcli/raw/raweas.c
index 5f06e7001d..b626b316d2 100644
--- a/source4/libcli/raw/raweas.c
+++ b/source4/libcli/raw/raweas.c
@@ -243,9 +243,12 @@ NTSTATUS ea_pull_list_chained(const DATA_BLOB *blob,
return NT_STATUS_INVALID_PARAMETER;
}
- ofs += next_ofs;
+ if (ofs + next_ofs < ofs) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
- if (ofs+4 > blob->length) {
+ ofs += next_ofs;
+ if (ofs+4 > blob->length || ofs+4 < ofs) {
return NT_STATUS_INVALID_PARAMETER;
}
n++;