From b4bfcdf921aeee05c4608d7b48618fdfb1f134dc Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 10 Jul 2013 17:10:17 -0700
Subject: [PATCH 1/2] Fix bug #10010 - Missing integer wrap protection in EA
 list reading can cause server to loop with DOS.

Ensure we never wrap whilst adding client provided input.

Signed-off-by: Jeremy Allison <jra@samba.org>
---
 source3/smbd/nttrans.c |   12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 54e475d..f70fb36 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -993,7 +993,19 @@ struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t
 		if (next_offset == 0) {
 			break;
 		}
+
+		/* Integer wrap protection for the increment. */
+		if (offset + next_offset < offset) {
+			break;
+		}
+
 		offset += next_offset;
+
+		/* Integer wrap protection for while loop. */
+		if (offset + 4 < offset) {
+			break;
+		}
+
 	}
 
 	return ea_list_head;
-- 
1.7.10.4


From 03656a7c1ea68d4cea585f0bd4a3720be7f1cc13 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 11 Jul 2013 09:36:01 -0700
Subject: [PATCH 2/2] Fix bug #10010 - Missing integer wrap protection in EA
 list reading can cause server to loop with DOS.

Fix client-side parsing also. Found by David Disseldorp <ddiss@suse.de>
CVE-2013-4124

Signed-off-by: Jeremy Allison <jra@samba.org>
---
 source4/libcli/raw/raweas.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/source4/libcli/raw/raweas.c b/source4/libcli/raw/raweas.c
index 5f06e70..b626b31 100644
--- a/source4/libcli/raw/raweas.c
+++ b/source4/libcli/raw/raweas.c
@@ -243,9 +243,12 @@ NTSTATUS ea_pull_list_chained(const DATA_BLOB *blob,
 			return NT_STATUS_INVALID_PARAMETER;
 		}
 
-		ofs += next_ofs;
+		if (ofs + next_ofs < ofs) {
+			return NT_STATUS_INVALID_PARAMETER;
+		}
 
-		if (ofs+4 > blob->length) {
+		ofs += next_ofs;
+		if (ofs+4 > blob->length || ofs+4 < ofs) {
 			return NT_STATUS_INVALID_PARAMETER;
 		}
 		n++;
-- 
1.7.10.4