svn commit: samba r5959 - in trunk/source/smbd: .
jra at samba.org
jra at samba.org
Tue Mar 22 17:48:36 GMT 2005
Author: jra
Date: 2005-03-22 17:48:35 +0000 (Tue, 22 Mar 2005)
New Revision: 5959
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=5959
Log:
Integer wrap paranoia when reading EA buffers.
Jeremy.
Modified:
trunk/source/smbd/trans2.c
Changeset:
Modified: trunk/source/smbd/trans2.c
===================================================================
--- trunk/source/smbd/trans2.c 2005-03-22 17:31:23 UTC (rev 5958)
+++ trunk/source/smbd/trans2.c 2005-03-22 17:48:35 UTC (rev 5959)
@@ -395,7 +395,11 @@
unsigned int namelen = CVAL(pdata,offset);
offset++; /* Go past the namelen byte. */
- if (offset + namelen >= data_size) {
+
+ /* integer wrap paranioa. */
+ if ((offset + namelen < offset) || (offset + namelen < namelen) ||
+ (offset > data_size) || (namelen > data_size) ||
+ (offset + namelen >= data_size)) {
break;
}
/* Ensure the name is null terminated. */
@@ -444,6 +448,16 @@
namelen = CVAL(pdata,offset + 1);
val_len = SVAL(pdata,offset + 2);
+ /* integer wrap paranioa. */
+ if ((offset + namelen + 5 + val_len < offset) ||
+ (offset + namelen + 5 + val_len < namelen) ||
+ (offset + namelen + 5 + val_len < val_len) ||
+ (offset > data_size) ||
+ (namelen > data_size) ||
+ (offset + namelen >= data_size)) {
+ return NULL;
+ }
+
if (offset + 4 + namelen + 1 + val_len > data_size) {
return NULL;
}
@@ -473,7 +487,7 @@
DLIST_ADD_END(ea_list_head, eal, tmp);
- DEBUG(10,("read_ea_name_list: read ea name %s\n", eal->ea.name));
+ DEBUG(10,("read_ea_list: read ea name %s\n", eal->ea.name));
dump_data(10, eal->ea.value.data, eal->ea.value.length);
}
@@ -505,7 +519,7 @@
/****************************************************************************
Return a union of EA's from a file list and a list of names.
The TALLOC context for the two lists *MUST* be identical as we steal
- memory from one list to another. JRA.
+ memory from one list to add to another. JRA.
****************************************************************************/
static struct ea_list *ea_list_union(struct ea_list *name_list, struct ea_list *file_list, size_t *total_ea_len)
@@ -2730,8 +2744,13 @@
/* Pull any EA list from the data portion. */
if (info_level == SMB_INFO_QUERY_EAS_FROM_LIST) {
- uint32 ea_size = IVAL(pdata,0);
+ uint32 ea_size;
+ if (total_data < 4) {
+ return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+ ea_size = IVAL(pdata,0);
+
if (total_data > 0 && ea_size != total_data) {
DEBUG(4,("call_trans2qfilepathinfo: Rejecting EA request with incorrect \
total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pdata,0) ));
More information about the samba-cvs
mailing list