sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-12 09:18:10 +03:00
Code

Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server to loop with DOS.

Browse Source 
Ensure we never wrap whilst adding client provided input.

Signed-off-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
Jeremy Allison 2013-07-10 17:10:17 -07:00 committed by Karolin Seeger
parent 6659f0164c
commit c8d8bb257a
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
source3/smbd/nttrans.c
View File

@ -990,7 +990,19 @@ struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t
if (next_offset == 0) {
break;
}
/* Integer wrap protection for the increment. */
if (offset + next_offset < offset) {
break;
}
offset += next_offset;
/* Integer wrap protection for while loop. */
if (offset + 4 < offset) {
break;
}
}
return ea_list_head;