28 lines
672 B
Plaintext
28 lines
672 B
Plaintext
$OpenBSD: patch-source3_smbd_nttrans_c,v 1.1 2013/10/06 22:00:48 brad Exp $
|
|
|
|
Missing integer wrap protection in EA list reading can cause server to loop with
|
|
DoS. CVE-2013-4124
|
|
|
|
--- source3/smbd/nttrans.c.orig Wed May 8 04:16:26 2013
|
|
+++ source3/smbd/nttrans.c Thu Sep 26 21:53:10 2013
|
|
@@ -989,7 +989,19 @@ struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx,
|
|
if (next_offset == 0) {
|
|
break;
|
|
}
|
|
+
|
|
+ /* Integer wrap protection for the increment. */
|
|
+ if (offset + next_offset < offset) {
|
|
+ break;
|
|
+ }
|
|
+
|
|
offset += next_offset;
|
|
+
|
|
+ /* Integer wrap protection for while loop. */
|
|
+ if (offset + 4 < offset) {
|
|
+ break;
|
|
+ }
|
|
+
|
|
}
|
|
|
|
return ea_list_head;
|