svn commit: samba r21812 - in branches/SAMBA_4_0/source/librpc/ndr:
.
tridge at samba.org
tridge at samba.org
Tue Mar 13 04:18:07 GMT 2007
Author: tridge
Date: 2007-03-13 04:18:07 +0000 (Tue, 13 Mar 2007)
New Revision: 21812
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=21812
Log:
fixed an integer overflow error in the ndr push code.
This needs to be fixed in Samba3 as well. It might be exploitable (I
haven't confirmed one way or the other), so I think this should be
fixed for 3.0.25
Modified:
branches/SAMBA_4_0/source/librpc/ndr/libndr.h
branches/SAMBA_4_0/source/librpc/ndr/ndr.c
Changeset:
Modified: branches/SAMBA_4_0/source/librpc/ndr/libndr.h
===================================================================
--- branches/SAMBA_4_0/source/librpc/ndr/libndr.h 2007-03-13 03:43:16 UTC (rev 21811)
+++ branches/SAMBA_4_0/source/librpc/ndr/libndr.h 2007-03-13 04:18:07 UTC (rev 21812)
@@ -219,7 +219,7 @@
} \
} while(0)
-#define NDR_PUSH_NEED_BYTES(ndr, n) NDR_CHECK(ndr_push_expand(ndr, ndr->offset+(n)))
+#define NDR_PUSH_NEED_BYTES(ndr, n) NDR_CHECK(ndr_push_expand(ndr, n))
#define NDR_PUSH_ALIGN(ndr, n) do { \
if (!(ndr->flags & LIBNDR_FLAG_NOALIGN)) { \
Modified: branches/SAMBA_4_0/source/librpc/ndr/ndr.c
===================================================================
--- branches/SAMBA_4_0/source/librpc/ndr/ndr.c 2007-03-13 03:43:16 UTC (rev 21811)
+++ branches/SAMBA_4_0/source/librpc/ndr/ndr.c 2007-03-13 04:18:07 UTC (rev 21812)
@@ -148,10 +148,17 @@
/*
- expand the available space in the buffer to 'size'
+ expand the available space in the buffer to ndr->offset + extra_size
*/
-_PUBLIC_ NTSTATUS ndr_push_expand(struct ndr_push *ndr, uint32_t size)
+_PUBLIC_ NTSTATUS ndr_push_expand(struct ndr_push *ndr, uint32_t extra_size)
{
+ uint32_t size = extra_size + ndr->offset;
+
+ if (size < ndr->offset) {
+ /* extra_size overflowed the offset */
+ return NT_STATUS_NO_MEMORY;
+ }
+
if (ndr->alloc_size > size) {
return NT_STATUS_OK;
}
More information about the samba-cvs
mailing list