diff options
| -rw-r--r-- | source4/librpc/ndr/libndr.h | 2 | ||||
| -rw-r--r-- | source4/librpc/ndr/ndr.c | 11 |
2 files changed, 10 insertions, 3 deletions
diff --git a/source4/librpc/ndr/libndr.h b/source4/librpc/ndr/libndr.h index eb0c970208..e6bf7c04e2 100644 --- a/source4/librpc/ndr/libndr.h +++ b/source4/librpc/ndr/libndr.h @@ -219,7 +219,7 @@ enum ndr_compression_alg { } \ } while(0) -#define NDR_PUSH_NEED_BYTES(ndr, n) NDR_CHECK(ndr_push_expand(ndr, ndr->offset+(n))) +#define NDR_PUSH_NEED_BYTES(ndr, n) NDR_CHECK(ndr_push_expand(ndr, n)) #define NDR_PUSH_ALIGN(ndr, n) do { \ if (!(ndr->flags & LIBNDR_FLAG_NOALIGN)) { \ diff --git a/source4/librpc/ndr/ndr.c b/source4/librpc/ndr/ndr.c index cbd316f403..d752926863 100644 --- a/source4/librpc/ndr/ndr.c +++ b/source4/librpc/ndr/ndr.c @@ -148,10 +148,17 @@ _PUBLIC_ DATA_BLOB ndr_push_blob(struct ndr_push *ndr) /* - expand the available space in the buffer to 'size' + expand the available space in the buffer to ndr->offset + extra_size */ -_PUBLIC_ NTSTATUS ndr_push_expand(struct ndr_push *ndr, uint32_t size) +_PUBLIC_ NTSTATUS ndr_push_expand(struct ndr_push *ndr, uint32_t extra_size) { + uint32_t size = extra_size + ndr->offset; + + if (size < ndr->offset) { + /* extra_size overflowed the offset */ + return NT_STATUS_NO_MEMORY; + } + if (ndr->alloc_size > size) { return NT_STATUS_OK; } |