diff options
author | Andrew Tridgell <tridge@samba.org> | 2007-03-13 04:37:09 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:18:35 -0500 |
commit | 5e74df4202f38c1bee05d45cd5e576a97ed6f821 (patch) | |
tree | 9b268c7d008d80ff9c04f62f1813fadca2011b60 /source3/librpc/ndr/ndr.c | |
parent | 668da636e32078b4a23199a02dc9a68d099e8bac (diff) | |
download | samba-5e74df4202f38c1bee05d45cd5e576a97ed6f821.tar.gz samba-5e74df4202f38c1bee05d45cd5e576a97ed6f821.tar.bz2 samba-5e74df4202f38c1bee05d45cd5e576a97ed6f821.zip |
r21813: fixed an integer overflow error in the ndr push code.
Jerry, you might like to consider this for 3.0.25
(This used to be commit 4b1c4cd25aac98ce6a9959e9708f72b0b65e20af)
Diffstat (limited to 'source3/librpc/ndr/ndr.c')
-rw-r--r-- | source3/librpc/ndr/ndr.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/source3/librpc/ndr/ndr.c b/source3/librpc/ndr/ndr.c index 5b9eba478a..ab73354540 100644 --- a/source3/librpc/ndr/ndr.c +++ b/source3/librpc/ndr/ndr.c @@ -160,10 +160,17 @@ DATA_BLOB ndr_push_blob(struct ndr_push *ndr) /* - expand the available space in the buffer to 'size' + expand the available space in the buffer to ndr->offset + extra_size */ -NTSTATUS ndr_push_expand(struct ndr_push *ndr, uint32_t size) +NTSTATUS ndr_push_expand(struct ndr_push *ndr, uint32_t extra_size) { + uint32_t size = extra_size + ndr->offset; + + if (size < ndr->offset) { + /* extra_size overflowed the offset */ + return NT_STATUS_NO_MEMORY; + } + if (ndr->alloc_size > size) { return NT_STATUS_OK; } |