Harden tdb_check_used_record against overflow

Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
author: Volker Lendecke <vl@samba.org> 2018-03-04 10:46:09 +0100
committer: Jeremy Allison <jra@samba.org> 2018-03-22 02:15:14 +0100
commit: 1b0fbdaf853b341a8e53e23e1e3f2ae1c9037dc2 (patch)
tree: 74dc424be33720280bfcef02121bb19ff3f04f8f /lib/tdb
parent: 2c94093ad961f3e93302dae6aa373e5b3fe8ee95 (diff)
download: samba-1b0fbdaf853b341a8e53e23e1e3f2ae1c9037dc2.tar.gz
1 files changed, 16 insertions, 1 deletions
diff --git a/lib/tdb/common/check.c b/lib/tdb/common/check.c
index e632af51536..3a5c8b8ba94 100644
--- a/lib/tdb/common/check.c
+++ b/lib/tdb/common/check.c
@@ -242,12 +242,27 @@ static bool tdb_check_used_record(struct tdb_context *tdb,
 				  void *private_data)
 {
 	TDB_DATA key, data;
+	tdb_len_t len;
 
 	if (!tdb_check_record(tdb, off, rec))
 		return false;
 
 	/* key + data + tailer must fit in record */
-	if (rec->key_len + rec->data_len + sizeof(tdb_off_t) > rec->rec_len) {
+	len = rec->key_len;
+	len += rec->data_len;
+	if (len < rec->data_len) {
+		/* overflow */
+		TDB_LOG((tdb, TDB_DEBUG_ERROR, "Record lengths overflow\n"));
+		return false;
+	}
+	len += sizeof(tdb_off_t);
+	if (len < sizeof(tdb_off_t)) {
+		/* overflow */
+		TDB_LOG((tdb, TDB_DEBUG_ERROR, "Record lengths overflow\n"));
+		return false;
+	}
+
+	if (len > rec->rec_len) {
 		TDB_LOG((tdb, TDB_DEBUG_ERROR,
 			 "Record offset %u too short for contents\n", off));
 		return false;
author	Volker Lendecke <vl@samba.org>	2018-03-04 10:46:09 +0100
committer	Jeremy Allison <jra@samba.org>	2018-03-22 02:15:14 +0100
commit	1b0fbdaf853b341a8e53e23e1e3f2ae1c9037dc2 (patch)
tree	74dc424be33720280bfcef02121bb19ff3f04f8f /lib/tdb
parent	2c94093ad961f3e93302dae6aa373e5b3fe8ee95 (diff)
download	samba-1b0fbdaf853b341a8e53e23e1e3f2ae1c9037dc2.tar.gz