[Pkg-samba-maint] [samba] 01/07: CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995

[Mathieu Parent]

This is an automated email from the git hooks/post-receive script.

sathieu pushed a commit to branch jessie
in repository samba.

commit e67942ca927dc3b6c00e6cda6e0719add7217741
Author: Volker Lendecke <vl at samba.org>
Date:   Sat Nov 5 21:22:46 2016 +0100

    CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995
    
    Thanks to Trend Micro's Zero Day Initiative and Frederic Besler for finding
    this vulnerability with a PoC and a good analysis.
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=12409
---
 librpc/ndr/ndr_dnsp.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/librpc/ndr/ndr_dnsp.c b/librpc/ndr/ndr_dnsp.c
index 82b5fb5..152a27e 100644
--- a/librpc/ndr/ndr_dnsp.c
+++ b/librpc/ndr/ndr_dnsp.c
@@ -56,7 +56,16 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dnsp_name(struct ndr_pull *ndr, int ndr_flag
 		uint8_t sublen, newlen;
 		NDR_CHECK(ndr_pull_uint8(ndr, ndr_flags, &sublen));
 		newlen = total_len + sublen;
+		if (newlen < total_len) {
+			return ndr_pull_error(ndr, NDR_ERR_RANGE,
+					      "Failed to pull dnsp_name");
+		}
 		if (i != count-1) {
+			if (newlen == UINT8_MAX) {
+				return ndr_pull_error(
+					ndr, NDR_ERR_RANGE,
+					"Failed to pull dnsp_name");
+			}
 			newlen++; /* for the '.' */
 		}
 		ret = talloc_realloc(ndr->current_mem_ctx, ret, char, newlen);

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git