[PATCHES] MS-PAR rpcclient

Jeremy Allison jra at samba.org
Wed Nov 30 17:29:51 UTC 2016 

On Wed, Nov 30, 2016 at 07:39:08AM +0100, Andreas Schneider wrote:
> >         for (i = 0; i < r->cfheader.cFolders; i++) {
> >                 count += r->cffolders[i].cCFData;
> >         }
> > 
> > Same there.
> > 
> > Pure paranoia of course, but these days I find
> > paranoia is usually justified :-).
> > 
> > What do you think ? If you agree I can code it
> > up for you to review.
> 
> I'm fine with adding it. It is also easier to spot if something really goes 
> wrong.

Here are the patches. Please review.

Thanks,

	Jeremy.
-------------- next part --------------
From a470dc3a1cf6e2849b139ed84fee88f069f1e140 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Wed, 30 Nov 2016 09:19:43 -0800
Subject: [PATCH 1/2] librpc: cab: Integer wrap protection for
 ndr_count_cfdata().

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 librpc/ndr/ndr_cab.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/librpc/ndr/ndr_cab.c b/librpc/ndr/ndr_cab.c
index 0d2b36b..d5ab87f 100644
--- a/librpc/ndr/ndr_cab.c
+++ b/librpc/ndr/ndr_cab.c
@@ -57,6 +57,10 @@ uint32_t ndr_count_cfdata(const struct cab_file *r)
 	uint32_t count = 0, i;
 
 	for (i = 0; i < r->cfheader.cFolders; i++) {
+		if (count + r->cffolders[i].cCFData < count) {
+			/* Integer wrap. */
+			return 0;
+		}
 		count += r->cffolders[i].cCFData;
 	}
 
-- 
2.8.0.rc3.226.g39d4020


From 7b8cf9c6815c903611635522343ef07db45e94b3 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Wed, 30 Nov 2016 09:23:52 -0800
Subject: [PATCH 2/2] librpc: cab: Fix ndr_size_cab_file() to detect integer
 wrap.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 librpc/ndr/ndr_cab.c | 26 ++++++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

diff --git a/librpc/ndr/ndr_cab.c b/librpc/ndr/ndr_cab.c
index d5ab87f..eb28648 100644
--- a/librpc/ndr/ndr_cab.c
+++ b/librpc/ndr/ndr_cab.c
@@ -116,7 +116,7 @@ uint32_t ndr_cab_generate_checksum(const struct CFDATA *r)
 					csumPartial);
 }
 
-static uint32_t ndr_size_cab_file(const struct cab_file *r)
+static bool ndr_size_cab_file(const struct cab_file *r, uint32_t *psize)
 {
 	uint32_t size = 0;
 	int i;
@@ -126,20 +126,34 @@ static uint32_t ndr_size_cab_file(const struct cab_file *r)
 
 	/* folder */
 	for (i = 0; i < r->cfheader.cFolders; i++) {
+		if (size + 8 < size) {
+			/* Integer wrap. */
+			return false;
+		}
 		size += 8;
 	}
 
 	/* files */
 	for (i = 0; i < r->cfheader.cFiles; i++) {
-		size += ndr_size_CFFILE(&r->cffiles[i], 0);
+		uint32_t cfsize = ndr_size_CFFILE(&r->cffiles[i], 0);
+		if (size + cfsize < size) {
+			/* Integer wrap. */
+			return false;
+		}
+		size += cfsize;
 	}
 
 	/* data */
 	for (i = 0; i < ndr_count_cfdata(r); i++) {
+		if (size + r->cfdata[i].cbData < size) {
+			/* Integer wrap. */
+			return false;
+		}
 		size += 8 + r->cfdata[i].cbData;
 	}
 
-	return size;
+	*psize = size;
+	return true;
 }
 
 enum cf_compress_type ndr_cab_get_compression(const struct cab_file *r)
@@ -156,6 +170,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_cab_file(struct ndr_push *ndr, int ndr_flags
 	uint32_t cntr_cffolders_0;
 	uint32_t cntr_cffiles_0;
 	uint32_t cntr_cfdata_0;
+	uint32_t cab_size = 0;
 	{
 		uint32_t _flags_save_STRUCT = ndr->flags;
 		ndr_set_flags(&ndr->flags, LIBNDR_PRINT_ARRAY_HEX|LIBNDR_FLAG_LITTLE_ENDIAN|LIBNDR_FLAG_NOALIGN);
@@ -188,7 +203,10 @@ _PUBLIC_ enum ndr_err_code ndr_push_cab_file(struct ndr_push *ndr, int ndr_flags
 		ndr->flags = _flags_save_STRUCT;
 	}
 
-	SIVAL(ndr->data, 8, ndr_size_cab_file(r));
+	if (ndr_size_cab_file(r, &cab_size) == false) {
+		return NDR_ERR_VALIDATE;
+	}
+	SIVAL(ndr->data, 8, cab_size);
 
 	return NDR_ERR_SUCCESS;
 }
-- 
2.8.0.rc3.226.g39d4020

More information about the samba-technical mailing list