diff options
author | Jeremy Allison <jra@samba.org> | 2013-07-10 17:10:17 -0700 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2013-07-24 20:47:52 +0200 |
commit | 6ef0e33fe8afa0ebb81652b9d42b42d20efadf04 (patch) | |
tree | f26990640234679430e663c3badf236c56cc1919 | |
parent | 81aa6c38f50ee67e47987b0acfb3f9b8e728cc58 (diff) | |
download | samba-6ef0e33fe8afa0ebb81652b9d42b42d20efadf04.tar.gz |
Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server to loop with DOS.
Ensure we never wrap whilst adding client provided input.
CVE-2013-4124
Signed-off-by: Jeremy Allison <jra@samba.org>
-rw-r--r-- | source3/smbd/nttrans.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index 2ca14f477d2..25597696b0b 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -934,7 +934,19 @@ struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t if (next_offset == 0) { break; } + + /* Integer wrap protection for the increment. */ + if (offset + next_offset < offset) { + break; + } + offset += next_offset; + + /* Integer wrap protection for while loop. */ + if (offset + 4 < offset) { + break; + } + } return ea_list_head; |