summaryrefslogtreecommitdiff
path: root/librpc
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2011-09-05 16:41:21 +1000
committerAndrew Bartlett <abartlet@samba.org>2011-09-05 11:19:25 +0200
commit3fbdd3fa0164814b74409a11e67b3b708bb2a458 (patch)
treeb635a5f1248a2d0f5aec662e9423534aeb845986 /librpc
parentef3d860b2e8afa9895f0b3a954807c6b9b059262 (diff)
downloadsamba-3fbdd3fa0164814b74409a11e67b3b708bb2a458.tar.gz
samba-3fbdd3fa0164814b74409a11e67b3b708bb2a458.tar.bz2
samba-3fbdd3fa0164814b74409a11e67b3b708bb2a458.zip
ndr: range check on push of dom_sid blob
this ensures we get an error if we try to push a dom_sid with too many sub_auths Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'librpc')
-rw-r--r--librpc/ndr/ndr_sec_helper.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/librpc/ndr/ndr_sec_helper.c b/librpc/ndr/ndr_sec_helper.c
index ff8588dad4..984b6bd4aa 100644
--- a/librpc/ndr/ndr_sec_helper.c
+++ b/librpc/ndr/ndr_sec_helper.c
@@ -314,6 +314,9 @@ _PUBLIC_ enum ndr_err_code ndr_push_dom_sid(struct ndr_push *ndr, int ndr_flags,
NDR_CHECK(ndr_push_uint8(ndr, NDR_SCALARS, r->sid_rev_num));
NDR_CHECK(ndr_push_int8(ndr, NDR_SCALARS, r->num_auths));
NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->id_auth, 6));
+ if (r->num_auths < 0 || r->num_auths > ARRAY_SIZE(r->sub_auths)) {
+ return ndr_push_error(ndr, NDR_ERR_RANGE, "value out of range");
+ }
for (cntr_sub_auths_0 = 0; cntr_sub_auths_0 < r->num_auths; cntr_sub_auths_0++) {
NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->sub_auths[cntr_sub_auths_0]));
}
@@ -328,7 +331,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dom_sid(struct ndr_pull *ndr, int ndr_flags,
NDR_CHECK(ndr_pull_align(ndr, 4));
NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->sid_rev_num));
NDR_CHECK(ndr_pull_int8(ndr, NDR_SCALARS, &r->num_auths));
- if (r->num_auths < 0 || r->num_auths > 15) {
+ if (r->num_auths < 0 || r->num_auths > ARRAY_SIZE(r->sub_auths)) {
return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range");
}
NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->id_auth, 6));