Handle uint32 overflow in ndr_pull_advance
Credit to OSS-Fuzz
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
*/
_PUBLIC_ enum ndr_err_code ndr_pull_advance(struct ndr_pull *ndr, uint32_t size)
{
+ NDR_PULL_NEED_BYTES(ndr, size);
ndr->offset += size;
- if (ndr->offset > ndr->data_size) {
- return ndr_pull_error(ndr, NDR_ERR_BUFSIZE,
- "ndr_pull_advance by %u failed",
- size);
- }
return NDR_ERR_SUCCESS;
}
-^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_fuzzed_ndr_compression
-^librpc.ndr.ndr.test_ndr_pull_advance
+^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_fuzzed_NULL_struct_ntlmssp_CHALLENGE_MESSAGE