svn commit: samba r21815 - in
branches/SAMBA_3_0_25/source/librpc/ndr: .
jra at samba.org
jra at samba.org
Tue Mar 13 05:10:33 GMT 2007
Author: jra
Date: 2007-03-13 05:10:31 +0000 (Tue, 13 Mar 2007)
New Revision: 21815
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=21815
Log:
Security fixes from tridge :
fixed an integer overflow error in the ndr push code. r:21813
use ndr_push_error in the ndr layer, not just a NTSTATUS failure r:21814
Jeremy.
Modified:
branches/SAMBA_3_0_25/source/librpc/ndr/libndr.h
branches/SAMBA_3_0_25/source/librpc/ndr/ndr.c
Changeset:
Modified: branches/SAMBA_3_0_25/source/librpc/ndr/libndr.h
===================================================================
--- branches/SAMBA_3_0_25/source/librpc/ndr/libndr.h 2007-03-13 04:42:49 UTC (rev 21814)
+++ branches/SAMBA_3_0_25/source/librpc/ndr/libndr.h 2007-03-13 05:10:31 UTC (rev 21815)
@@ -223,7 +223,7 @@
} \
} while(0)
-#define NDR_PUSH_NEED_BYTES(ndr, n) NDR_CHECK(ndr_push_expand(ndr, ndr->offset+(n)))
+#define NDR_PUSH_NEED_BYTES(ndr, n) NDR_CHECK(ndr_push_expand(ndr, n))
#define NDR_PUSH_ALIGN(ndr, n) do { \
if (!(ndr->flags & LIBNDR_FLAG_NOALIGN)) { \
Modified: branches/SAMBA_3_0_25/source/librpc/ndr/ndr.c
===================================================================
--- branches/SAMBA_3_0_25/source/librpc/ndr/ndr.c 2007-03-13 04:42:49 UTC (rev 21814)
+++ branches/SAMBA_3_0_25/source/librpc/ndr/ndr.c 2007-03-13 05:10:31 UTC (rev 21815)
@@ -160,10 +160,18 @@
/*
- expand the available space in the buffer to 'size'
+ expand the available space in the buffer to ndr->offset + extra_size
*/
-NTSTATUS ndr_push_expand(struct ndr_push *ndr, uint32_t size)
+NTSTATUS ndr_push_expand(struct ndr_push *ndr, uint32_t extra_size)
{
+ uint32_t size = extra_size + ndr->offset;
+
+ if (size < ndr->offset) {
+ /* extra_size overflowed the offset */
+ return ndr_push_error(ndr, NDR_ERR_BUFSIZE, "Overflow in push_expand to %u",
+ size);
+ }
+
if (ndr->alloc_size > size) {
return NT_STATUS_OK;
}
More information about the samba-cvs
mailing list