From efdbcabbe97a594572d71d714d258a5854c5d8ce Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 10 Jul 2013 17:10:17 -0700
Subject: [PATCH] Fix bug #10010 - Missing integer wrap protection in EA list
 reading can cause server to loop with DOS.

Ensure we never wrap whilst adding client provided input.
CVE-2013-4124

Signed-off-by: Jeremy Allison <jra@samba.org>
---
 source3/smbd/nttrans.c |   12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index ea9d417..5fc3a09 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -989,7 +989,19 @@ struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t
 		if (next_offset == 0) {
 			break;
 		}
+
+		/* Integer wrap protection for the increment. */
+		if (offset + next_offset < offset) {
+			break;
+		}
+
 		offset += next_offset;
+
+		/* Integer wrap protection for while loop. */
+		if (offset + 4 < offset) {
+			break;
+		}
+
 	}
 
 	return ea_list_head;
-- 
1.7.10.4