From: Gary Lockyer <gary@catalyst.net.nz>
Date: Tue, 14 Jan 2020 23:37:06 +0000 (+1300)
Subject: librpc ndr: ndr_pull_advance check for unsigned overflow.
X-Git-Tag: ldb-2.1.1~149
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=14182350f8397d27d7642dae595dc52691f0acfe;p=thirdparty%2Fsamba.git

librpc ndr: ndr_pull_advance check for unsigned overflow.

Handle uint32 overflow in ndr_pull_advance

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/librpc/ndr/ndr.c b/librpc/ndr/ndr.c
index c772d53f6ed..f96a0bca08b 100644
--- a/librpc/ndr/ndr.c
+++ b/librpc/ndr/ndr.c
@@ -199,12 +199,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_pop(struct ndr_pull *ndr)
 */
 _PUBLIC_ enum ndr_err_code ndr_pull_advance(struct ndr_pull *ndr, uint32_t size)
 {
+	NDR_PULL_NEED_BYTES(ndr, size);
 	ndr->offset += size;
-	if (ndr->offset > ndr->data_size) {
-		return ndr_pull_error(ndr, NDR_ERR_BUFSIZE,
-				      "ndr_pull_advance by %u failed",
-				      size);
-	}
 	return NDR_ERR_SUCCESS;
 }
 
diff --git a/selftest/knownfail.d/bug-14236 b/selftest/knownfail.d/bug-14236
index 3c36d148ba7..8131b070b37 100644
--- a/selftest/knownfail.d/bug-14236
+++ b/selftest/knownfail.d/bug-14236
@@ -1,2 +1 @@
-^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_fuzzed_ndr_compression
-^librpc.ndr.ndr.test_ndr_pull_advance
+^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_fuzzed_NULL_struct_ntlmssp_CHALLENGE_MESSAGE