mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
d12bd2cd50
If len_len is equal to total_len - 1 (i.e. the input consists only of a 0x60 byte and a length), the expression 'total_len - 1 - len_len - 1', used as the 'len' parameter to der_get_length(), will overflow to SIZE_MAX. Then der_get_length() will proceed to read, unconstrained, whatever data follows in memory. Add a check to ensure that doesn't happen. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> |
||
---|---|---|
.. | ||
aesni-intel | ||
cmocka | ||
gpfs | ||
heimdal | ||
heimdal_build | ||
nss_wrapper | ||
pam_wrapper | ||
popt | ||
resolv_wrapper | ||
socket_wrapper | ||
uid_wrapper | ||
waf | ||
update.sh | ||
wscript |