ndr_string: Add overflow check in ndr_pull_charset_to_null()

This matches ndr_pull_charset().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/librpc/ndr/ndr_string.c b/librpc/ndr/ndr_string.c
index b2f965c9d43ca82c15b1d22c8826b59bb052a991..783e11be3343457070f8ce54c39570542fc5478b 100644 (file)
--- a/librpc/ndr/ndr_string.c
+++ b/librpc/ndr/ndr_string.c
@@ -722,6 +722,9 @@ _PUBLIC_ enum ndr_err_code ndr_pull_charset_to_null(struct ndr_pull *ndr, int nd
                chset = CH_UTF16BE;
        }
 
+       if ((byte_mul != 0) && (length > UINT32_MAX/byte_mul)) {
+               return ndr_pull_error(ndr, NDR_ERR_BUFSIZE, "length overflow");
+       }
        NDR_PULL_NEED_BYTES(ndr, length*byte_mul);
 
        str_len = ndr_string_n_length(ndr->data+ndr->offset, length, byte_mul);