summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2007-03-13 04:18:07 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 14:49:31 -0500
commitdd0b2572eb4999572aec32bbd9764cc4bf3aeaf7 (patch)
tree575d7a83fe1f391b44cb102af62f0619e8cac8de
parentf85bb4c1c3e6a0f9e513393a53c41def529a88ad (diff)
downloadsamba-dd0b2572eb4999572aec32bbd9764cc4bf3aeaf7.tar.gz
samba-dd0b2572eb4999572aec32bbd9764cc4bf3aeaf7.tar.xz
samba-dd0b2572eb4999572aec32bbd9764cc4bf3aeaf7.zip
r21812: fixed an integer overflow error in the ndr push code.
This needs to be fixed in Samba3 as well. It might be exploitable (I haven't confirmed one way or the other), so I think this should be fixed for 3.0.25 (This used to be commit 4766175ff2d0de8af92046e29280c7893ac8fe1f)
-rw-r--r--source4/librpc/ndr/libndr.h2
-rw-r--r--source4/librpc/ndr/ndr.c11
2 files changed, 10 insertions, 3 deletions
diff --git a/source4/librpc/ndr/libndr.h b/source4/librpc/ndr/libndr.h
index eb0c970208f..e6bf7c04e2f 100644
--- a/source4/librpc/ndr/libndr.h
+++ b/source4/librpc/ndr/libndr.h
@@ -219,7 +219,7 @@ enum ndr_compression_alg {
} \
} while(0)
-#define NDR_PUSH_NEED_BYTES(ndr, n) NDR_CHECK(ndr_push_expand(ndr, ndr->offset+(n)))
+#define NDR_PUSH_NEED_BYTES(ndr, n) NDR_CHECK(ndr_push_expand(ndr, n))
#define NDR_PUSH_ALIGN(ndr, n) do { \
if (!(ndr->flags & LIBNDR_FLAG_NOALIGN)) { \
diff --git a/source4/librpc/ndr/ndr.c b/source4/librpc/ndr/ndr.c
index cbd316f4030..d7529268637 100644
--- a/source4/librpc/ndr/ndr.c
+++ b/source4/librpc/ndr/ndr.c
@@ -148,10 +148,17 @@ _PUBLIC_ DATA_BLOB ndr_push_blob(struct ndr_push *ndr)
/*
- expand the available space in the buffer to 'size'
+ expand the available space in the buffer to ndr->offset + extra_size
*/
-_PUBLIC_ NTSTATUS ndr_push_expand(struct ndr_push *ndr, uint32_t size)
+_PUBLIC_ NTSTATUS ndr_push_expand(struct ndr_push *ndr, uint32_t extra_size)
{
+ uint32_t size = extra_size + ndr->offset;
+
+ if (size < ndr->offset) {
+ /* extra_size overflowed the offset */
+ return NT_STATUS_NO_MEMORY;
+ }
+
if (ndr->alloc_size > size) {
return NT_STATUS_OK;
}