summaryrefslogtreecommitdiff
path: root/source4/librpc/ndr
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2005-06-02 06:25:48 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:17:25 -0500
commit2752b7cac21e9a49c571f2c2b5adb72db9ced7f7 (patch)
tree22a4d67eaa6faa1be369ba80cb0fa89499b96b7b /source4/librpc/ndr
parent01fb2de4dc53d5ece9fc82a9a695519a46516695 (diff)
downloadsamba-2752b7cac21e9a49c571f2c2b5adb72db9ced7f7.tar.gz
samba-2752b7cac21e9a49c571f2c2b5adb72db9ced7f7.tar.bz2
samba-2752b7cac21e9a49c571f2c2b5adb72db9ced7f7.zip
r7193: add some bail out checks and fix pushing of relative pointers
metze (This used to be commit 58a214d98fc7a2b46a0876e57e05dec82438bc53)
Diffstat (limited to 'source4/librpc/ndr')
-rw-r--r--source4/librpc/ndr/ndr.c21
1 files changed, 19 insertions, 2 deletions
diff --git a/source4/librpc/ndr/ndr.c b/source4/librpc/ndr/ndr.c
index b1fbaaeb31..74997748a3 100644
--- a/source4/librpc/ndr/ndr.c
+++ b/source4/librpc/ndr/ndr.c
@@ -770,12 +770,24 @@ NTSTATUS ndr_push_relative_ptr1(struct ndr_push *ndr, const void *p)
NTSTATUS ndr_push_relative_ptr2(struct ndr_push *ndr, const void *p)
{
struct ndr_push_save save;
+ uint32_t ptr_offset = 0xFFFFFFFF;
if (p == NULL) {
return NT_STATUS_OK;
}
ndr_push_save(ndr, &save);
- NDR_CHECK(ndr_token_retrieve(&ndr->relative_list, p, &ndr->offset));
- NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, save.offset));
+ NDR_CHECK(ndr_token_retrieve(&ndr->relative_list, p, &ptr_offset));
+ if (ptr_offset > ndr->offset) {
+ return ndr_push_error(ndr, NDR_ERR_BUFSIZE,
+ "ndr_push_relative_ptr2 ptr_offset(%u) > ndr->offset(%u)",
+ ptr_offset, ndr->offset);
+ }
+ ndr->offset = ptr_offset;
+ if (save.offset < ndr->relative_base_offset) {
+ return ndr_push_error(ndr, NDR_ERR_BUFSIZE,
+ "ndr_push_relative_ptr2 save.offset(%u) < ndr->relative_base_offset(%u)",
+ save.offset, ndr->relative_base_offset);
+ }
+ NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, save.offset - ndr->relative_base_offset));
ndr_push_restore(ndr, &save);
return NT_STATUS_OK;
}
@@ -822,6 +834,11 @@ NTSTATUS ndr_pull_setup_relative_base_offset2(struct ndr_pull *ndr, const void *
NTSTATUS ndr_pull_relative_ptr1(struct ndr_pull *ndr, const void *p, uint32_t rel_offset)
{
rel_offset += ndr->relative_base_offset;
+ if (rel_offset > ndr->data_size) {
+ return ndr_pull_error(ndr, NDR_ERR_BUFSIZE,
+ "ndr_pull_relative_ptr1 rel_offset(%u) > ndr->data_size(%u)",
+ rel_offset, ndr->data_size);
+ }
return ndr_token_store(ndr, &ndr->relative_list, p, rel_offset);
}