From 8f411425f6649422cb5ab94ec6ca392a02ec5ee5 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Wed, 11 Sep 2013 12:04:58 +0000
Subject: smbd: Properly protect against invalid lock data

If someone messes with brlock.tdb and inserts an invalid record length,
this will lead to memcpy overwriting a few bytes behind malloc'ed data.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Sep 12 03:26:45 CEST 2013 on sn-devel-104
---
 source3/locking/brlock.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'source3')

diff --git a/source3/locking/brlock.c b/source3/locking/brlock.c
index ac54767a48..adbfc5fb65 100644
--- a/source3/locking/brlock.c
+++ b/source3/locking/brlock.c
@@ -1976,6 +1976,12 @@ static struct byte_range_lock *brl_get_locks_internal(TALLOC_CTX *mem_ctx,
 		data = dbwrap_record_get_value(br_lck->record);
 	}
 
+	if ((data.dsize % sizeof(struct lock_struct)) != 0) {
+		DEBUG(3, ("Got invalid brlock data\n"));
+		TALLOC_FREE(br_lck);
+		return NULL;
+	}
+
 	br_lck->read_only = do_read_only;
 	br_lck->lock_data = NULL;
 
-- 
cgit