summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2007-03-13 04:37:09 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:18:35 -0500
commit5e74df4202f38c1bee05d45cd5e576a97ed6f821 (patch)
tree9b268c7d008d80ff9c04f62f1813fadca2011b60
parent668da636e32078b4a23199a02dc9a68d099e8bac (diff)
downloadsamba-5e74df4202f38c1bee05d45cd5e576a97ed6f821.tar.gz
samba-5e74df4202f38c1bee05d45cd5e576a97ed6f821.tar.bz2
samba-5e74df4202f38c1bee05d45cd5e576a97ed6f821.zip
r21813: fixed an integer overflow error in the ndr push code.
Jerry, you might like to consider this for 3.0.25 (This used to be commit 4b1c4cd25aac98ce6a9959e9708f72b0b65e20af)
-rw-r--r--source3/librpc/ndr/libndr.h2
-rw-r--r--source3/librpc/ndr/ndr.c11
2 files changed, 10 insertions, 3 deletions
diff --git a/source3/librpc/ndr/libndr.h b/source3/librpc/ndr/libndr.h
index 3c2377f57f..23e9e06bdd 100644
--- a/source3/librpc/ndr/libndr.h
+++ b/source3/librpc/ndr/libndr.h
@@ -224,7 +224,7 @@ enum ndr_compression_alg {
} \
} while(0)
-#define NDR_PUSH_NEED_BYTES(ndr, n) NDR_CHECK(ndr_push_expand(ndr, ndr->offset+(n)))
+#define NDR_PUSH_NEED_BYTES(ndr, n) NDR_CHECK(ndr_push_expand(ndr, n))
#define NDR_PUSH_ALIGN(ndr, n) do { \
if (!(ndr->flags & LIBNDR_FLAG_NOALIGN)) { \
diff --git a/source3/librpc/ndr/ndr.c b/source3/librpc/ndr/ndr.c
index 5b9eba478a..ab73354540 100644
--- a/source3/librpc/ndr/ndr.c
+++ b/source3/librpc/ndr/ndr.c
@@ -160,10 +160,17 @@ DATA_BLOB ndr_push_blob(struct ndr_push *ndr)
/*
- expand the available space in the buffer to 'size'
+ expand the available space in the buffer to ndr->offset + extra_size
*/
-NTSTATUS ndr_push_expand(struct ndr_push *ndr, uint32_t size)
+NTSTATUS ndr_push_expand(struct ndr_push *ndr, uint32_t extra_size)
{
+ uint32_t size = extra_size + ndr->offset;
+
+ if (size < ndr->offset) {
+ /* extra_size overflowed the offset */
+ return NT_STATUS_NO_MEMORY;
+ }
+
if (ndr->alloc_size > size) {
return NT_STATUS_OK;
}