diff options
author | Andrew Tridgell <tridge@samba.org> | 2007-03-13 04:18:07 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 14:49:31 -0500 |
commit | dd0b2572eb4999572aec32bbd9764cc4bf3aeaf7 (patch) | |
tree | 575d7a83fe1f391b44cb102af62f0619e8cac8de | |
parent | f85bb4c1c3e6a0f9e513393a53c41def529a88ad (diff) | |
download | samba-dd0b2572eb4999572aec32bbd9764cc4bf3aeaf7.tar.gz samba-dd0b2572eb4999572aec32bbd9764cc4bf3aeaf7.tar.xz samba-dd0b2572eb4999572aec32bbd9764cc4bf3aeaf7.zip |
r21812: fixed an integer overflow error in the ndr push code.
This needs to be fixed in Samba3 as well. It might be exploitable (I
haven't confirmed one way or the other), so I think this should be
fixed for 3.0.25
(This used to be commit 4766175ff2d0de8af92046e29280c7893ac8fe1f)
-rw-r--r-- | source4/librpc/ndr/libndr.h | 2 | ||||
-rw-r--r-- | source4/librpc/ndr/ndr.c | 11 |
2 files changed, 10 insertions, 3 deletions
diff --git a/source4/librpc/ndr/libndr.h b/source4/librpc/ndr/libndr.h index eb0c970208f..e6bf7c04e2f 100644 --- a/source4/librpc/ndr/libndr.h +++ b/source4/librpc/ndr/libndr.h @@ -219,7 +219,7 @@ enum ndr_compression_alg { } \ } while(0) -#define NDR_PUSH_NEED_BYTES(ndr, n) NDR_CHECK(ndr_push_expand(ndr, ndr->offset+(n))) +#define NDR_PUSH_NEED_BYTES(ndr, n) NDR_CHECK(ndr_push_expand(ndr, n)) #define NDR_PUSH_ALIGN(ndr, n) do { \ if (!(ndr->flags & LIBNDR_FLAG_NOALIGN)) { \ diff --git a/source4/librpc/ndr/ndr.c b/source4/librpc/ndr/ndr.c index cbd316f4030..d7529268637 100644 --- a/source4/librpc/ndr/ndr.c +++ b/source4/librpc/ndr/ndr.c @@ -148,10 +148,17 @@ _PUBLIC_ DATA_BLOB ndr_push_blob(struct ndr_push *ndr) /* - expand the available space in the buffer to 'size' + expand the available space in the buffer to ndr->offset + extra_size */ -_PUBLIC_ NTSTATUS ndr_push_expand(struct ndr_push *ndr, uint32_t size) +_PUBLIC_ NTSTATUS ndr_push_expand(struct ndr_push *ndr, uint32_t extra_size) { + uint32_t size = extra_size + ndr->offset; + + if (size < ndr->offset) { + /* extra_size overflowed the offset */ + return NT_STATUS_NO_MEMORY; + } + if (ndr->alloc_size > size) { return NT_STATUS_OK; } |