[PATCH] Add some integer overflow checks to libndr

Wed Mar 28 02:59:33 UTC 2018

Hi!

Review appreciated!

Thanks, Volker
-------------- next part --------------
From d641dfcb498d79a0fcd136220568c84e3f3bc044 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Mon, 26 Mar 2018 12:00:40 +0200
Subject: [PATCH 1/2] ndr_string: Fix a signed/unsigned glitch

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 librpc/ndr/ndr_string.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/librpc/ndr/ndr_string.c b/librpc/ndr/ndr_string.c
index 067f91781ee..42ba3cfccc1 100644
--- a/librpc/ndr/ndr_string.c
+++ b/librpc/ndr/ndr_string.c
@@ -636,7 +636,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_charset_to_null(struct ndr_pull *ndr, int nd
 
 _PUBLIC_ enum ndr_err_code ndr_push_charset(struct ndr_push *ndr, int ndr_flags, const char *var, uint32_t length, uint8_t byte_mul, charset_t chset)
 {
-	ssize_t required;
+	size_t required;
 
 	if (NDR_BE(ndr) && chset == CH_UTF16) {
 		chset = CH_UTF16BE;
-- 
2.11.0


From e66ca55b0c61c25df0be80ab9b8ce1c7020a70ab Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Mon, 26 Mar 2018 12:02:01 +0200
Subject: [PATCH 2/2] ndr_string: Do overflow checks in ndr_push/pull_charset

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 librpc/ndr/ndr_string.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/librpc/ndr/ndr_string.c b/librpc/ndr/ndr_string.c
index 42ba3cfccc1..cc3508616bb 100644
--- a/librpc/ndr/ndr_string.c
+++ b/librpc/ndr/ndr_string.c
@@ -588,6 +588,9 @@ _PUBLIC_ enum ndr_err_code ndr_pull_charset(struct ndr_pull *ndr, int ndr_flags,
 		chset = CH_UTF16BE;
 	}
 
+	if ((byte_mul != 0) && (length > UINT32_MAX/byte_mul)) {
+		return ndr_pull_error(ndr, NDR_ERR_BUFSIZE, "length overflow");
+	}
 	NDR_PULL_NEED_BYTES(ndr, length*byte_mul);
 
 	if (!convert_string_talloc(ndr->current_mem_ctx, chset, CH_UNIX,
@@ -642,6 +645,9 @@ _PUBLIC_ enum ndr_err_code ndr_push_charset(struct ndr_push *ndr, int ndr_flags,
 		chset = CH_UTF16BE;
 	}
 
+	if ((byte_mul != 0) && (length > SIZE_MAX/byte_mul)) {
+		return ndr_push_error(ndr, NDR_ERR_LENGTH, "length overflow");
+	}
 	required = byte_mul * length;
 	
 	NDR_PUSH_NEED_BYTES(ndr, required);
-- 
2.11.0

