librpc:ndr: Avoid overflow in size calculation

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/librpc/ndr/ndr_string.c b/librpc/ndr/ndr_string.c
index 0a9d7ab8b9bf9b7ae8d382c13248a9cba577401d..0aec7b66cb5acdc37bf85096ec888bea643ed58b 100644 (file)
--- a/librpc/ndr/ndr_string.c
+++ b/librpc/ndr/ndr_string.c
@@ -660,6 +660,14 @@ _PUBLIC_ enum ndr_err_code ndr_check_string_terminator(struct ndr_pull *ndr, uin
        uint32_t i;
        uint32_t save_offset;
 
+       if (count == 0) {
+               return NDR_ERR_RANGE;
+       }
+
+       if (element_size && count - 1 > UINT32_MAX / element_size) {
+               return NDR_ERR_RANGE;
+       }
+
        save_offset = ndr->offset;
        NDR_CHECK(ndr_pull_advance(ndr, (count - 1) * element_size));
        NDR_PULL_NEED_BYTES(ndr, element_size);