svn commit: samba r21813 - in branches/SAMBA_3_0/source/librpc/ndr:
.
tridge at samba.org
tridge at samba.org
Tue Mar 13 04:37:09 GMT 2007
Author: tridge
Date: 2007-03-13 04:37:09 +0000 (Tue, 13 Mar 2007)
New Revision: 21813
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=21813
Log:
fixed an integer overflow error in the ndr push code.
Jerry, you might like to consider this for 3.0.25
Modified:
branches/SAMBA_3_0/source/librpc/ndr/libndr.h
branches/SAMBA_3_0/source/librpc/ndr/ndr.c
Changeset:
Modified: branches/SAMBA_3_0/source/librpc/ndr/libndr.h
===================================================================
--- branches/SAMBA_3_0/source/librpc/ndr/libndr.h 2007-03-13 04:18:07 UTC (rev 21812)
+++ branches/SAMBA_3_0/source/librpc/ndr/libndr.h 2007-03-13 04:37:09 UTC (rev 21813)
@@ -224,7 +224,7 @@
} \
} while(0)
-#define NDR_PUSH_NEED_BYTES(ndr, n) NDR_CHECK(ndr_push_expand(ndr, ndr->offset+(n)))
+#define NDR_PUSH_NEED_BYTES(ndr, n) NDR_CHECK(ndr_push_expand(ndr, n))
#define NDR_PUSH_ALIGN(ndr, n) do { \
if (!(ndr->flags & LIBNDR_FLAG_NOALIGN)) { \
Modified: branches/SAMBA_3_0/source/librpc/ndr/ndr.c
===================================================================
--- branches/SAMBA_3_0/source/librpc/ndr/ndr.c 2007-03-13 04:18:07 UTC (rev 21812)
+++ branches/SAMBA_3_0/source/librpc/ndr/ndr.c 2007-03-13 04:37:09 UTC (rev 21813)
@@ -160,10 +160,17 @@
/*
- expand the available space in the buffer to 'size'
+ expand the available space in the buffer to ndr->offset + extra_size
*/
-NTSTATUS ndr_push_expand(struct ndr_push *ndr, uint32_t size)
+NTSTATUS ndr_push_expand(struct ndr_push *ndr, uint32_t extra_size)
{
+ uint32_t size = extra_size + ndr->offset;
+
+ if (size < ndr->offset) {
+ /* extra_size overflowed the offset */
+ return NT_STATUS_NO_MEMORY;
+ }
+
if (ndr->alloc_size > size) {
return NT_STATUS_OK;
}
More information about the samba-cvs
mailing list