From: Art M. Gallagher <repos@artmg.net>
Date: Tue, 3 Mar 2020 21:51:46 +0000 (+0000)
Subject: vfs_fruit: tmsize prevent overflow Force the type during arithmetic in order to preve... 
X-Git-Tag: ldb-2.2.0~1513
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b0ba7cd4f96a6ea227943cb05ef51a463e292b2d;p=thirdparty%2Fsamba.git

vfs_fruit: tmsize prevent overflow Force the type during arithmetic in order to prevent overflow when summing the Time Machine folder size. Increase the precision to off_t (used for file sizes), leave the overflow error traps but with more precise wording.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13622
Signed-off-by: Art M. Gallagher <smblock@artmg.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Mar  7 01:37:31 UTC 2020 on sn-devel-184
---

diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
index ebf3e18af2f..b2d0901a800 100644
--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
@@ -4986,15 +4986,21 @@ static bool fruit_tmsize_do_dirent(vfs_handle_struct *handle,
 		return true;
 	}
 
+	/*
+	 * Arithmetic on 32-bit systems may cause overflow, depending on
+	 * size_t precision. First we check its unlikely, then we
+	 * force the precision into target off_t, then we check that
+	 * the total did not overflow either.
+	 */
 	if (bandsize > SIZE_MAX/nbands) {
-		DBG_ERR("tmsize overflow: bandsize [%zu] nbands [%zu]\n",
+		DBG_ERR("tmsize potential overflow: bandsize [%zu] nbands [%zu]\n",
 			bandsize, nbands);
 		return false;
 	}
-	tm_size = bandsize * nbands;
+	tm_size = (off_t)bandsize * (off_t)nbands;
 
 	if (state->total_size + tm_size < state->total_size) {
-		DBG_ERR("tmsize overflow: bandsize [%zu] nbands [%zu]\n",
+		DBG_ERR("tm total size overflow: bandsize [%zu] nbands [%zu]\n",
 			bandsize, nbands);
 		return false;
 	}