diff options
author | Jeremy Allison <jra@samba.org> | 2013-07-11 09:36:01 -0700 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2013-08-05 14:39:04 +0200 |
commit | c4cba824d9e4bb31e1b6a901e994ffdfd3ad522e (patch) | |
tree | 0f0251e281f64a90d48348a9a758429b67bff187 /source4/libcli/raw | |
parent | c8d8bb257ac390c89c4238ed86dfef02750b6049 (diff) | |
download | samba-c4cba824d9e4bb31e1b6a901e994ffdfd3ad522e.tar.gz samba-c4cba824d9e4bb31e1b6a901e994ffdfd3ad522e.tar.bz2 samba-c4cba824d9e4bb31e1b6a901e994ffdfd3ad522e.zip |
Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server to loop with DOS.
Fix client-side parsing also. Found by David Disseldorp <ddiss@suse.de>
Signed-off-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Mon Aug 5 14:39:04 CEST 2013 on sn-devel-104
Diffstat (limited to 'source4/libcli/raw')
-rw-r--r-- | source4/libcli/raw/raweas.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/source4/libcli/raw/raweas.c b/source4/libcli/raw/raweas.c index 5f06e7001d..b626b316d2 100644 --- a/source4/libcli/raw/raweas.c +++ b/source4/libcli/raw/raweas.c @@ -243,9 +243,12 @@ NTSTATUS ea_pull_list_chained(const DATA_BLOB *blob, return NT_STATUS_INVALID_PARAMETER; } - ofs += next_ofs; + if (ofs + next_ofs < ofs) { + return NT_STATUS_INVALID_PARAMETER; + } - if (ofs+4 > blob->length) { + ofs += next_ofs; + if (ofs+4 > blob->length || ofs+4 < ofs) { return NT_STATUS_INVALID_PARAMETER; } n++; |