diff options
author | Stefan Metzmacher <metze@samba.org> | 2013-10-16 16:26:58 +0200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2013-12-09 07:05:46 +0100 |
commit | 068dafc4d8f0c82a16ca5c092eb5f5144dd5f199 (patch) | |
tree | a8f03d8498613e11de99f811fb5b33ba9d703db7 /source3/lib | |
parent | 821a49b7d05e87fdb12a1e6f9b020e41476ba41a (diff) | |
download | samba-068dafc4d8f0c82a16ca5c092eb5f5144dd5f199.tar.gz samba-068dafc4d8f0c82a16ca5c092eb5f5144dd5f199.tar.xz samba-068dafc4d8f0c82a16ca5c092eb5f5144dd5f199.zip |
CVE-2013-4408:s3:ctdb_conn: add some length verification to ctdb_packet_more()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'source3/lib')
-rw-r--r-- | source3/lib/ctdb_conn.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/source3/lib/ctdb_conn.c b/source3/lib/ctdb_conn.c index 90930eb86b0..40071d4e5cb 100644 --- a/source3/lib/ctdb_conn.c +++ b/source3/lib/ctdb_conn.c @@ -233,6 +233,11 @@ static ssize_t ctdb_packet_more(uint8_t *buf, size_t buflen, void *p) return 0; } memcpy(&len, buf, sizeof(len)); + + if (len < sizeof(uint32_t)) { + return -1; + } + return (len - sizeof(uint32_t)); } |