sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-10 12:58:35 +03:00
Code

tdb: Harden tdb_rec_read

Browse Source 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
Volker Lendecke 2018-03-04 10:07:29 +01:00 committed by Jeremy Allison
parent ac33b5653f
commit df2a036377
1 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
lib/tdb/common/io.c
View File

@ -733,6 +733,9 @@ int tdb_parse_data(struct tdb_context *tdb, TDB_DATA key,
/* read/write a record */
int tdb_rec_read(struct tdb_context *tdb, tdb_off_t offset, struct tdb_record *rec)
{
int ret;
tdb_len_t overall_len;
if (tdb->methods->tdb_read(tdb, offset, rec, sizeof(*rec),DOCONV()) == -1)
return -1;
if (TDB_BAD_MAGIC(rec)) {
@ -741,6 +744,31 @@ int tdb_rec_read(struct tdb_context *tdb, tdb_off_t offset, struct tdb_record *r
TDB_LOG((tdb, TDB_DEBUG_FATAL,"tdb_rec_read bad magic 0x%x at offset=%u\n", rec->magic, offset));
return -1;
}
overall_len = rec->key_len + rec->data_len;
if (overall_len < rec->data_len) {
/* overflow */
return -1;
}
if (overall_len > rec->rec_len) {
/* invalid record */
return -1;
}
ret = tdb->methods->tdb_oob(tdb, offset, rec->key_len, 1);
if (ret == -1) {
return -1;
}
ret = tdb->methods->tdb_oob(tdb, offset, rec->data_len, 1);
if (ret == -1) {
return -1;
}
ret = tdb->methods->tdb_oob(tdb, offset, rec->rec_len, 1);
if (ret == -1) {
return -1;
}
return tdb->methods->tdb_oob(tdb, rec->next, sizeof(*rec), 0);
}