diff options
author | Volker Lendecke <vl@samba.org> | 2018-03-04 10:46:09 +0100 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2018-03-22 02:15:14 +0100 |
commit | 1b0fbdaf853b341a8e53e23e1e3f2ae1c9037dc2 (patch) | |
tree | 74dc424be33720280bfcef02121bb19ff3f04f8f | |
parent | 2c94093ad961f3e93302dae6aa373e5b3fe8ee95 (diff) | |
download | samba-1b0fbdaf853b341a8e53e23e1e3f2ae1c9037dc2.tar.gz |
Harden tdb_check_used_record against overflow
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
-rw-r--r-- | lib/tdb/common/check.c | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/lib/tdb/common/check.c b/lib/tdb/common/check.c index e632af51536..3a5c8b8ba94 100644 --- a/lib/tdb/common/check.c +++ b/lib/tdb/common/check.c @@ -242,12 +242,27 @@ static bool tdb_check_used_record(struct tdb_context *tdb, void *private_data) { TDB_DATA key, data; + tdb_len_t len; if (!tdb_check_record(tdb, off, rec)) return false; /* key + data + tailer must fit in record */ - if (rec->key_len + rec->data_len + sizeof(tdb_off_t) > rec->rec_len) { + len = rec->key_len; + len += rec->data_len; + if (len < rec->data_len) { + /* overflow */ + TDB_LOG((tdb, TDB_DEBUG_ERROR, "Record lengths overflow\n")); + return false; + } + len += sizeof(tdb_off_t); + if (len < sizeof(tdb_off_t)) { + /* overflow */ + TDB_LOG((tdb, TDB_DEBUG_ERROR, "Record lengths overflow\n")); + return false; + } + + if (len > rec->rec_len) { TDB_LOG((tdb, TDB_DEBUG_ERROR, "Record offset %u too short for contents\n", off)); return false; |