[PATCH] Add some integer overflow checks to libndr
Volker Lendecke
Volker.Lendecke at SerNet.DE
Wed Mar 28 02:59:33 UTC 2018
Hi!
Review appreciated!
Thanks, Volker
-------------- next part --------------
From d641dfcb498d79a0fcd136220568c84e3f3bc044 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Mon, 26 Mar 2018 12:00:40 +0200
Subject: [PATCH 1/2] ndr_string: Fix a signed/unsigned glitch
Signed-off-by: Volker Lendecke <vl at samba.org>
---
librpc/ndr/ndr_string.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/librpc/ndr/ndr_string.c b/librpc/ndr/ndr_string.c
index 067f91781ee..42ba3cfccc1 100644
--- a/librpc/ndr/ndr_string.c
+++ b/librpc/ndr/ndr_string.c
@@ -636,7 +636,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_charset_to_null(struct ndr_pull *ndr, int nd
_PUBLIC_ enum ndr_err_code ndr_push_charset(struct ndr_push *ndr, int ndr_flags, const char *var, uint32_t length, uint8_t byte_mul, charset_t chset)
{
- ssize_t required;
+ size_t required;
if (NDR_BE(ndr) && chset == CH_UTF16) {
chset = CH_UTF16BE;
--
2.11.0
From e66ca55b0c61c25df0be80ab9b8ce1c7020a70ab Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Mon, 26 Mar 2018 12:02:01 +0200
Subject: [PATCH 2/2] ndr_string: Do overflow checks in ndr_push/pull_charset
Signed-off-by: Volker Lendecke <vl at samba.org>
---
librpc/ndr/ndr_string.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/librpc/ndr/ndr_string.c b/librpc/ndr/ndr_string.c
index 42ba3cfccc1..cc3508616bb 100644
--- a/librpc/ndr/ndr_string.c
+++ b/librpc/ndr/ndr_string.c
@@ -588,6 +588,9 @@ _PUBLIC_ enum ndr_err_code ndr_pull_charset(struct ndr_pull *ndr, int ndr_flags,
chset = CH_UTF16BE;
}
+ if ((byte_mul != 0) && (length > UINT32_MAX/byte_mul)) {
+ return ndr_pull_error(ndr, NDR_ERR_BUFSIZE, "length overflow");
+ }
NDR_PULL_NEED_BYTES(ndr, length*byte_mul);
if (!convert_string_talloc(ndr->current_mem_ctx, chset, CH_UNIX,
@@ -642,6 +645,9 @@ _PUBLIC_ enum ndr_err_code ndr_push_charset(struct ndr_push *ndr, int ndr_flags,
chset = CH_UTF16BE;
}
+ if ((byte_mul != 0) && (length > SIZE_MAX/byte_mul)) {
+ return ndr_push_error(ndr, NDR_ERR_LENGTH, "length overflow");
+ }
required = byte_mul * length;
NDR_PUSH_NEED_BYTES(ndr, required);
--
2.11.0
More information about the samba-technical
mailing list