Comment 7 for bug 11243

Hi,
the upstream patch against 3.0.9 wraps all memory allocations, strdup()s,
etc. into macros with boundary checks. Backporting this to 2.2.3 seems
way too intrusive and error-prone, so may I suggest the following fix:

According to the iDefense advisory it exploits an integer overflow in the
allocation of memory in source/rpc_parse/parse_sec.c:218:
If psa->num_aces is larger than 38347922, the value of 38347922+1 multiplied
with the value of ace[0] (112) is larger than an unsigned integer and
it wraps around.

So, as there is no way in regular Samba operation that a user requests
more than 38 million ACL entries the simplest and least intrusive way to
prevent this seems to be a simple sanity check that caps psa->num_aces:

if (psa->num_aces > 38347922)
 psa->num_aces = 38347922;

Does this seem like an acceptable solution? I haven't evaluated all possible
call flow that leads to the vulnerable code, though.

Cheers,
        Moritz