svn commit: samba r21815 - in branches/SAMBA_3_0_25/source/librpc/ndr: .

[jra at samba.org]

Author: jra
Date: 2007-03-13 05:10:31 +0000 (Tue, 13 Mar 2007)
New Revision: 21815

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=21815

Log:
Security fixes from tridge :

fixed an integer overflow error in the ndr push code. r:21813
use ndr_push_error in the ndr layer, not just a NTSTATUS failure r:21814

Jeremy.

Modified:
   branches/SAMBA_3_0_25/source/librpc/ndr/libndr.h
   branches/SAMBA_3_0_25/source/librpc/ndr/ndr.c


Changeset:
Modified: branches/SAMBA_3_0_25/source/librpc/ndr/libndr.h
===================================================================
--- branches/SAMBA_3_0_25/source/librpc/ndr/libndr.h	2007-03-13 04:42:49 UTC (rev 21814)
+++ branches/SAMBA_3_0_25/source/librpc/ndr/libndr.h	2007-03-13 05:10:31 UTC (rev 21815)
@@ -223,7 +223,7 @@
 	} \
 } while(0)
 
-#define NDR_PUSH_NEED_BYTES(ndr, n) NDR_CHECK(ndr_push_expand(ndr, ndr->offset+(n)))
+#define NDR_PUSH_NEED_BYTES(ndr, n) NDR_CHECK(ndr_push_expand(ndr, n))
 
 #define NDR_PUSH_ALIGN(ndr, n) do { \
 	if (!(ndr->flags & LIBNDR_FLAG_NOALIGN)) { \

Modified: branches/SAMBA_3_0_25/source/librpc/ndr/ndr.c
===================================================================
--- branches/SAMBA_3_0_25/source/librpc/ndr/ndr.c	2007-03-13 04:42:49 UTC (rev 21814)
+++ branches/SAMBA_3_0_25/source/librpc/ndr/ndr.c	2007-03-13 05:10:31 UTC (rev 21815)
@@ -160,10 +160,18 @@
 
 
 /*
-  expand the available space in the buffer to 'size'
+  expand the available space in the buffer to ndr->offset + extra_size
 */
-NTSTATUS ndr_push_expand(struct ndr_push *ndr, uint32_t size)
+NTSTATUS ndr_push_expand(struct ndr_push *ndr, uint32_t extra_size)
 {
+	uint32_t size = extra_size + ndr->offset;
+
+	if (size < ndr->offset) {
+		/* extra_size overflowed the offset */
+		return ndr_push_error(ndr, NDR_ERR_BUFSIZE, "Overflow in push_expand to %u",
+					size);
+	}
+
 	if (ndr->alloc_size > size) {
 		return NT_STATUS_OK;
 	}