From b4bfcdf921aeee05c4608d7b48618fdfb1f134dc Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 10 Jul 2013 17:10:17 -0700 Subject: [PATCH 1/2] Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server to loop with DOS. Ensure we never wrap whilst adding client provided input. Signed-off-by: Jeremy Allison --- source3/smbd/nttrans.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index 54e475d..f70fb36 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -993,7 +993,19 @@ struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t if (next_offset == 0) { break; } + + /* Integer wrap protection for the increment. */ + if (offset + next_offset < offset) { + break; + } + offset += next_offset; + + /* Integer wrap protection for while loop. */ + if (offset + 4 < offset) { + break; + } + } return ea_list_head; -- 1.7.10.4 From 03656a7c1ea68d4cea585f0bd4a3720be7f1cc13 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 11 Jul 2013 09:36:01 -0700 Subject: [PATCH 2/2] Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server to loop with DOS. Fix client-side parsing also. Found by David Disseldorp CVE-2013-4124 Signed-off-by: Jeremy Allison --- source4/libcli/raw/raweas.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/source4/libcli/raw/raweas.c b/source4/libcli/raw/raweas.c index 5f06e70..b626b31 100644 --- a/source4/libcli/raw/raweas.c +++ b/source4/libcli/raw/raweas.c @@ -243,9 +243,12 @@ NTSTATUS ea_pull_list_chained(const DATA_BLOB *blob, return NT_STATUS_INVALID_PARAMETER; } - ofs += next_ofs; + if (ofs + next_ofs < ofs) { + return NT_STATUS_INVALID_PARAMETER; + } - if (ofs+4 > blob->length) { + ofs += next_ofs; + if (ofs+4 > blob->length || ofs+4 < ofs) { return NT_STATUS_INVALID_PARAMETER; } n++; -- 1.7.10.4