aboutsummaryrefslogtreecommitdiffstats
path: root/meta-oe/recipes-connectivity/samba/samba/samba-3.6.16-CVE-2013-4124.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta-oe/recipes-connectivity/samba/samba/samba-3.6.16-CVE-2013-4124.patch')
-rw-r--r--meta-oe/recipes-connectivity/samba/samba/samba-3.6.16-CVE-2013-4124.patch43
1 files changed, 43 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/samba/samba/samba-3.6.16-CVE-2013-4124.patch b/meta-oe/recipes-connectivity/samba/samba/samba-3.6.16-CVE-2013-4124.patch
new file mode 100644
index 0000000000..54b8edfbe6
--- /dev/null
+++ b/meta-oe/recipes-connectivity/samba/samba/samba-3.6.16-CVE-2013-4124.patch
@@ -0,0 +1,43 @@
+Upstream-Status: Backport
+
+From efdbcabbe97a594572d71d714d258a5854c5d8ce Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Wed, 10 Jul 2013 17:10:17 -0700
+Subject: [PATCH] Fix bug #10010 - Missing integer wrap protection in EA list
+ reading can cause server to loop with DOS.
+
+Ensure we never wrap whilst adding client provided input.
+CVE-2013-4124
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/smbd/nttrans.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
+index ea9d417..5fc3a09 100644
+--- a/source3/smbd/nttrans.c
++++ b/source3/smbd/nttrans.c
+@@ -989,7 +989,19 @@ struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t
+ if (next_offset == 0) {
+ break;
+ }
++
++ /* Integer wrap protection for the increment. */
++ if (offset + next_offset < offset) {
++ break;
++ }
++
+ offset += next_offset;
++
++ /* Integer wrap protection for while loop. */
++ if (offset + 4 < offset) {
++ break;
++ }
++
+ }
+
+ return ea_list_head;
+--
+1.7.10.4
+
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-04-27 19:58:40 +0000