r21812: fixed an integer overflow error in the ndr push code.

This needs to be fixed in Samba3 as well. It might be exploitable (I
haven't confirmed one way or the other), so I think this should be
fixed for 3.0.25
(This used to be commit 4766175ff2d0de8af92046e29280c7893ac8fe1f)

2 files changed, 10 insertions, 3 deletions

diff --git a/source4/librpc/ndr/libndr.h b/source4/librpc/ndr/libndr.h
index eb0c970208..e6bf7c04e2 100644
--- a/source4/librpc/ndr/libndr.h
+++ b/source4/librpc/ndr/libndr.h
@@ -219,7 +219,7 @@ enum ndr_compression_alg {
 	} \
 } while(0)
 
-#define NDR_PUSH_NEED_BYTES(ndr, n) NDR_CHECK(ndr_push_expand(ndr, ndr->offset+(n)))
+#define NDR_PUSH_NEED_BYTES(ndr, n) NDR_CHECK(ndr_push_expand(ndr, n))
 
 #define NDR_PUSH_ALIGN(ndr, n) do { \
 	if (!(ndr->flags & LIBNDR_FLAG_NOALIGN)) { \
diff --git a/source4/librpc/ndr/ndr.c b/source4/librpc/ndr/ndr.c
index cbd316f403..d752926863 100644
--- a/source4/librpc/ndr/ndr.c
+++ b/source4/librpc/ndr/ndr.c
@@ -148,10 +148,17 @@ _PUBLIC_ DATA_BLOB ndr_push_blob(struct ndr_push *ndr)
 
 
 /*
-  expand the available space in the buffer to 'size'
+  expand the available space in the buffer to ndr->offset + extra_size
 */
-_PUBLIC_ NTSTATUS ndr_push_expand(struct ndr_push *ndr, uint32_t size)
+_PUBLIC_ NTSTATUS ndr_push_expand(struct ndr_push *ndr, uint32_t extra_size)
 {
+	uint32_t size = extra_size + ndr->offset;
+
+	if (size < ndr->offset) {
+		/* extra_size overflowed the offset */
+		return NT_STATUS_NO_MEMORY;
+	}
+
 	if (ndr->alloc_size > size) {
 		return NT_STATUS_OK;
 	}