]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
librpc ndr: ndr_pull_advance check for unsigned overflow.
authorGary Lockyer <gary@catalyst.net.nz>
Tue, 14 Jan 2020 23:37:06 +0000 (12:37 +1300)
committerAndrew Bartlett <abartlet@samba.org>
Fri, 7 Feb 2020 08:53:40 +0000 (08:53 +0000)
Handle uint32 overflow in ndr_pull_advance

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
librpc/ndr/ndr.c
selftest/knownfail.d/bug-14236

index c772d53f6edc0cf94f58af76a2e82c7c82e7af00..f96a0bca08b3a22857b1ddb3e525347a860cddc8 100644 (file)
@@ -199,12 +199,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_pop(struct ndr_pull *ndr)
 */
 _PUBLIC_ enum ndr_err_code ndr_pull_advance(struct ndr_pull *ndr, uint32_t size)
 {
+       NDR_PULL_NEED_BYTES(ndr, size);
        ndr->offset += size;
-       if (ndr->offset > ndr->data_size) {
-               return ndr_pull_error(ndr, NDR_ERR_BUFSIZE,
-                                     "ndr_pull_advance by %u failed",
-                                     size);
-       }
        return NDR_ERR_SUCCESS;
 }
 
index 3c36d148ba7ea44bf157e3db207923a1ad4b9bd3..8131b070b37455d19b41b1470b671cf9fc65deba 100644 (file)
@@ -1,2 +1 @@
-^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_fuzzed_ndr_compression
-^librpc.ndr.ndr.test_ndr_pull_advance
+^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_fuzzed_NULL_struct_ntlmssp_CHALLENGE_MESSAGE