From 6cadb1d695ef1d45d2b64c8ad95cc442658f0991 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 26 Jun 2024 14:31:48 +0200 Subject: [PATCH] s3:registry: Check for integer overflow "Error: INTEGER_OVERFLOW (CWE-190): samba-4.20.0rc2/source3/registry/regfio.c:175: tainted_data_argument: The check ""bytes_read < block_size"" contains the tainted expression ""bytes_read"" which causes ""block_size"" to be considered tainted. samba-4.20.0rc2/source3/registry/regfio.c:176: overflow: The expression ""block_size - bytes_read"" is deemed overflowed because at least one of its arguments has overflowed. samba-4.20.0rc2/source3/registry/regfio.c:176: overflow_sink: ""block_size - bytes_read"", which might have underflowed, is passed to ""read(file->fd, buffer + bytes_read, block_size - bytes_read)"". [Note: The source code implementation of the function has been overridden by a builtin model.] 174| 175| while ( bytes_read < block_size ) { 176|-> if ( (returned = read( file->fd, buffer+bytes_read, block_size-bytes_read )) == -1 ) { 177| DEBUG(0,(""read_block: read() failed (%s)\n"", strerror(errno) )); 178| return False;" Signed-off-by: Andreas Schneider Reviewed-by: Volker Lendecke --- source3/registry/regfio.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/source3/registry/regfio.c b/source3/registry/regfio.c index e7bb8d18f8f..3756c8cdb13 100644 --- a/source3/registry/regfio.c +++ b/source3/registry/regfio.c @@ -182,6 +182,10 @@ static int read_block( REGF_FILE *file, prs_struct *ps, uint32_t file_offset, ui return False; } + if (returned < 0 || bytes_read > INT_MAX - returned) { + DBG_ERR("Integer overflow\n"); + return false; + } bytes_read += returned; } -- 2.47.3