[SCM] Samba Shared Repository - branch master updated

Karolin Seeger kseeger at samba.org
Mon Aug 5 06:40:02 MDT 2013 

The branch, master has been updated
       via  c4cba82 Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server to loop with DOS.
       via  c8d8bb2 Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server to loop with DOS.
      from  6659f01 s3-libads: Print a message if no realm has been specified.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit c4cba824d9e4bb31e1b6a901e994ffdfd3ad522e
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Jul 11 09:36:01 2013 -0700

    Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server to loop with DOS.
    
    Fix client-side parsing also. Found by David Disseldorp <ddiss at suse.de>
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Karolin Seeger <kseeger at samba.org>
    Autobuild-Date(master): Mon Aug  5 14:39:04 CEST 2013 on sn-devel-104

commit c8d8bb257ac390c89c4238ed86dfef02750b6049
Author: Jeremy Allison <jra at samba.org>
Date:   Wed Jul 10 17:10:17 2013 -0700

    Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server to loop with DOS.
    
    Ensure we never wrap whilst adding client provided input.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/nttrans.c      |   12 ++++++++++++
 source4/libcli/raw/raweas.c |    7 +++++--
 2 files changed, 17 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 800e2fd..bcba29a 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -990,7 +990,19 @@ struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t
 		if (next_offset == 0) {
 			break;
 		}
+
+		/* Integer wrap protection for the increment. */
+		if (offset + next_offset < offset) {
+			break;
+		}
+
 		offset += next_offset;
+
+		/* Integer wrap protection for while loop. */
+		if (offset + 4 < offset) {
+			break;
+		}
+
 	}
 
 	return ea_list_head;
diff --git a/source4/libcli/raw/raweas.c b/source4/libcli/raw/raweas.c
index 5f06e70..b626b31 100644
--- a/source4/libcli/raw/raweas.c
+++ b/source4/libcli/raw/raweas.c
@@ -243,9 +243,12 @@ NTSTATUS ea_pull_list_chained(const DATA_BLOB *blob,
 			return NT_STATUS_INVALID_PARAMETER;
 		}
 
-		ofs += next_ofs;
+		if (ofs + next_ofs < ofs) {
+			return NT_STATUS_INVALID_PARAMETER;
+		}
 
-		if (ofs+4 > blob->length) {
+		ofs += next_ofs;
+		if (ofs+4 > blob->length || ofs+4 < ofs) {
 			return NT_STATUS_INVALID_PARAMETER;
 		}
 		n++;


-- 
Samba Shared Repository

More information about the samba-cvs mailing list