blob: 54b8edfbe6cfa2ac71c978d5c2d7b9c5ff9d565a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
Upstream-Status: Backport
From efdbcabbe97a594572d71d714d258a5854c5d8ce Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 10 Jul 2013 17:10:17 -0700
Subject: [PATCH] Fix bug #10010 - Missing integer wrap protection in EA list
reading can cause server to loop with DOS.
Ensure we never wrap whilst adding client provided input.
CVE-2013-4124
Signed-off-by: Jeremy Allison <jra@samba.org>
---
source3/smbd/nttrans.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index ea9d417..5fc3a09 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -989,7 +989,19 @@ struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t
if (next_offset == 0) {
break;
}
+
+ /* Integer wrap protection for the increment. */
+ if (offset + next_offset < offset) {
+ break;
+ }
+
offset += next_offset;
+
+ /* Integer wrap protection for while loop. */
+ if (offset + 4 < offset) {
+ break;
+ }
+
}
return ea_list_head;
--
1.7.10.4
|
