Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server to loop with DOS.

Ensure we never wrap whilst adding client provided input. CVE-2013-4124 Signed-off-by: Jeremy Allison <jra@samba.org>
author: Jeremy Allison <jra@samba.org> 2013-07-10 17:10:17 -0700
committer: Karolin Seeger <kseeger@samba.org> 2013-07-24 20:47:52 +0200
commit: 6ef0e33fe8afa0ebb81652b9d42b42d20efadf04 (patch)
tree: f26990640234679430e663c3badf236c56cc1919
parent: 81aa6c38f50ee67e47987b0acfb3f9b8e728cc58 (diff)
download: samba-6ef0e33fe8afa0ebb81652b9d42b42d20efadf04.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 2ca14f477d2..25597696b0b 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -934,7 +934,19 @@ struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t
 		if (next_offset == 0) {
 			break;
 		}
+
+		/* Integer wrap protection for the increment. */
+		if (offset + next_offset < offset) {
+			break;
+		}
+
 		offset += next_offset;
+
+		/* Integer wrap protection for while loop. */
+		if (offset + 4 < offset) {
+			break;
+		}
+
 	}
 
 	return ea_list_head;
author	Jeremy Allison <jra@samba.org>	2013-07-10 17:10:17 -0700
committer	Karolin Seeger <kseeger@samba.org>	2013-07-24 20:47:52 +0200
commit	6ef0e33fe8afa0ebb81652b9d42b42d20efadf04 (patch)
tree	f26990640234679430e663c3badf236c56cc1919
parent	81aa6c38f50ee67e47987b0acfb3f9b8e728cc58 (diff)
download	samba-6ef0e33fe8afa0ebb81652b9d42b42d20efadf04.tar.gz