From c4cba824d9e4bb31e1b6a901e994ffdfd3ad522e Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 11 Jul 2013 09:36:01 -0700 Subject: Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server to loop with DOS. Fix client-side parsing also. Found by David Disseldorp Signed-off-by: Jeremy Allison Autobuild-User(master): Karolin Seeger Autobuild-Date(master): Mon Aug 5 14:39:04 CEST 2013 on sn-devel-104 --- source4/libcli/raw/raweas.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source4/libcli/raw') diff --git a/source4/libcli/raw/raweas.c b/source4/libcli/raw/raweas.c index 5f06e7001d..b626b316d2 100644 --- a/source4/libcli/raw/raweas.c +++ b/source4/libcli/raw/raweas.c @@ -243,9 +243,12 @@ NTSTATUS ea_pull_list_chained(const DATA_BLOB *blob, return NT_STATUS_INVALID_PARAMETER; } - ofs += next_ofs; + if (ofs + next_ofs < ofs) { + return NT_STATUS_INVALID_PARAMETER; + } - if (ofs+4 > blob->length) { + ofs += next_ofs; + if (ofs+4 > blob->length || ofs+4 < ofs) { return NT_STATUS_INVALID_PARAMETER; } n++; -- cgit